CVE-2026-42298 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: May 8, 2026
Postiz - Remote Code Execution & Information Disclosure
Published: May 8, 2026Updated: May 8, 2026Remote Exploitable
Overview
Postiz contains a remote code execution vulnerability caused by processing untrusted Dockerfile.dev in the Build and Publish PR Docker Image workflow, letting unauthenticated attackers execute arbitrary code and exfiltrate privileged GITHUB_TOKEN, exploit requires opening a malicious forked pull request.
Severity & Score
Severity: Critical
CVSS Score: 10.0
Impact
Unauthenticated attackers can execute arbitrary code and steal highly privileged tokens, leading to full repository compromise.
Mitigation
Update to the version including commit da44801 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-42298
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- command_injection
- Status
- new
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H