CVE-2026-40487 - Vulnerability Analysis
HighCVSS: 8.9Last Updated: April 18, 2026
Postiz - Stored XSS
Overview
Postiz < 2.21.6 contains a stored XSS caused by file upload validation bypass via spoofed Content-Type header, letting authenticated users upload executable files leading to account takeover, exploit requires authentication.
Severity & Score
Impact
Authenticated attackers can execute stored scripts, leading to account takeover and full compromise of other users.
Mitigation
Update to version 2.21.6 or later.
References
Social Media Activity(2 posts)
š CVE-2026-40487 - High (8.9) Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header.... š https://www.thehackerwire.com/vulnerability/CVE-2026-40487/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-40487 - High (8.9) Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header.... š https://www.thehackerwire.com/vulnerability/CVE-2026-40487/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postGitHub Repositories(1 repo)
Related Resources
Details
- CVE ID
- CVE-2026-40487
- Severity
- High
- CVSS Score
- 8.9
- Type
- stored_xss
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L