SSRF in Gitroomhq Postiz-app

CVE-2026-34576

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (12.5th percentile) — read the EPSS interpretation.

Affected products

Gitroomhq Postiz-app — versions < 2.21.3

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89vp-m2qw-7v34 (x_refsource_CONFIRM)
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.3 (x_refsource_MISC)