{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/postiz/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.9,"id":"CVE-2026-40487"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Postiz"],"_cs_severities":["high"],"_cs_tags":["xss","file-upload","vulnerability","cve-2026-40487","postiz"],"_cs_type":"advisory","_cs_vendors":["Postiz"],"content_html":"\u003cp\u003ePostiz, an AI-driven social media scheduling tool, is vulnerable to a file upload bypass that can be exploited by authenticated users. Prior to version 2.21.6, the application fails to properly validate uploaded files, allowing attackers to bypass intended restrictions. By spoofing the \u003ccode\u003eContent-Type\u003c/code\u003e header during the upload process, malicious actors can inject arbitrary HTML, SVG, or other executable file types onto the server. Nginx then serves these files with a Content-Type derived from their extension, such as \u003ccode\u003etext/html\u003c/code\u003e or \u003ccode\u003eimage/svg+xml\u003c/code\u003e, which facilitates the execution of Stored Cross-Site Scripting (XSS) attacks within the application's context. This vulnerability enables session riding, account takeover, and potentially full compromise of other user accounts. The vulnerability is identified as CVE-2026-40487 and is resolved in version 2.21.6 of Postiz.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Postiz application with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file (e.g., an HTML or SVG file) containing XSS payload.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the file upload request using a proxy (e.g., Burp Suite) or browser developer tools.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eContent-Type\u003c/code\u003e header of the upload request to bypass the file validation. For example, an attacker could upload an HTML file but set the Content-Type to \u0026quot;image/jpeg\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified request to the Postiz server.\u003c/li\u003e\n\u003cli\u003eThe Postiz server saves the file without proper validation and stores it on the server.\u003c/li\u003e\n\u003cli\u003eNginx serves the malicious file with a Content-Type derived from the file extension, allowing the XSS payload to execute when another user accesses the file.\u003c/li\u003e\n\u003cli\u003eThe XSS payload executes in the victim's browser, allowing the attacker to steal cookies, session tokens, or inject malicious content, leading to account takeover or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to severe consequences, including session riding, account takeover, and full compromise of other users' accounts. An attacker could steal sensitive information, inject malicious scripts into the application, or deface the website. Given that Postiz is a social media scheduling tool, a successful attack could also be leveraged to spread misinformation or compromise connected social media accounts. The exact number of affected users is unknown, but all Postiz users prior to version 2.21.6 are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Postiz to version 2.21.6 or later to patch CVE-2026-40487 immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious Postiz File Upload Content-Type Override\u0026quot; to detect attempts to exploit the vulnerability in real-time.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e) for unusual \u003ccode\u003eContent-Type\u003c/code\u003e headers during file uploads.\u003c/li\u003e\n\u003cli\u003eImplement strict file validation on the server-side, verifying file types based on their content rather than relying solely on the \u003ccode\u003eContent-Type\u003c/code\u003e header.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-postiz-xss/","summary":"An authenticated file upload validation bypass in Postiz prior to version 2.21.6 allows attackers to upload arbitrary HTML, SVG, or other executable file types by spoofing the `Content-Type` header, resulting in stored XSS and potential account takeover.","title":"Postiz File Upload Vulnerability Leads to Stored XSS (CVE-2026-40487)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-postiz-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Postiz","version":"https://jsonfeed.org/version/1.1"}