CVE-2026-40487Gitroom · Postiz
Vulnerability data via NVD (ingested)
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-40487product:"Gitroom Postiz"http.html:"Postiz"More intel sources (5)
vuln:CVE-2026-40487vulnerabilities.cve_id: CVE-2026-40487CVE-2026-40487CVE-2026-40487"CVE-2026-40487" exploit -site:nvd.nist.gov