Auth bypass in Gitroomhq Postiz-app
CVE-2026-48799
Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscription identifier from the untrusted request…
CVSS v3 metric
CVSS v3 base score 7.7 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N.
Affected products
- Gitroomhq Postiz-app — versions < 2.21.8
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-48799?
- CVE-2026-48799 is a high-severity vulnerability in Gitroomhq Postiz-app, classified under Insufficient Verification of Data Authenticity. CVSS score: 7.7/10. Published 2026-07-15.
- How severe is CVE-2026-48799?
- High severity. CVSS v3 base score is 7.7 out of 10.