Home / Vulnerability Intelligence / CVE-2026-34577

CVE-2026-34577 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: April 3, 2026

Postiz - Server Side Request Forgery

Published: April 2, 2026Updated: April 3, 2026Remote Exploitable

Overview

Postiz < 2.21.3 contains a server side request forgery caused by insufficient validation of the url parameter in GET /public/stream, letting unauthenticated attackers read internal network resources, exploit requires no authentication.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 9.2%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can read internal network and cloud metadata responses, potentially exposing sensitive internal information.

Mitigation

Update to version 2.21.3 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 3, 2026

🟠 CVE-2026-34577 - High (8.6) Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is ur... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34577/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-34577
Severity: High
CVSS Score: 8.6
Type: server_side_request_forgery
Status: unconfirmed
EPSS: 9.2%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score

9.2%Probability of exploitation in the next 30 days