Postiz stored XSS via file upload (CVE-2026-40487) [PoC]

Overview

A security vulnerability in the Postiz AI social media scheduling tool allows authenticated users to upload malicious files to the server. This flaw, tracked as CVE-2026-40487, exists in versions prior to 2.21.6 and has a high severity CVSS score of 8.9.

Vulnerability Details

The vulnerability is a file upload validation bypass. The application’s security check, which should restrict uploads to safe file types, can be circumvented by an attacker spoofing the Content-Type header in their upload request. This allows the upload of arbitrary HTML, SVG, or other executable file types.

Once uploaded, the files are served by the nginx web server with a content type based on the file’s actual extension (e.g., text/html for .html files). This enables a Stored Cross-Site Scripting (XSS) attack, where malicious scripts are hosted on the application’s own domain and execute automatically when accessed by other users.

Impact

Successful exploitation can lead to a full compromise of user accounts within the Postiz application. An attacker could:

• Perform actions on behalf of other users (session riding).
• Steal session cookies and authentication tokens to hijack accounts.
• Deface the application or redirect users to malicious sites. Since the attack only requires a standard user account, the potential for widespread account takeover is significant.

Remediation and Mitigation

The primary and definitive remediation is to update the Postiz application. The vendor has released a fix in version 2.21.6. All instances running a version prior to 2.21.6 must be upgraded to this version immediately.

If an immediate update is not possible, consider the following temporary mitigation strategies:

• Review server logs for unexpected file uploads, particularly of HTML or SVG files, from authenticated sessions.
• Implement a Web Application Firewall (WAF) rule to block requests that upload files with executable extensions but claim a non-executable Content-Type header.
• Advise users to be cautious of unexpected links or content within the application, though this is not a reliable security control.

For more information on the consequences of account compromise, you can review recent incidents in our breach reports.

Security Insight

This vulnerability highlights the critical importance of implementing file upload validation on both the client and server side, with the server-side check being the authoritative and immutable one. Relying on client-supplied headers like Content-Type for security decisions is a recurring anti-pattern, similar to flaws that have led to major compromises in other content management and social platforms. It underscores that even modern AI-integrated applications must adhere to fundamental, rigorous security hygiene for all input handling functions.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs