CVE-2026-34590

low-risk

Published 2026-04-02

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl. When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Postiz

Affected Vendors

Gitroom

References (3)

Patch https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480b...

Product https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4

Exploit https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal