CVE-2026-34577

Name of the Vulnerable Software and Affected Versions Postiz versions prior to 2.21.3

Description The GET /public/stream endpoint in PublicController lacks proper validation and SSRF protections. It accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The validation url.endsWith('mp4') is easily bypassed. This allows an unauthenticated attacker to read responses from internal services and cloud metadata endpoints.

Recommendations Update to version 2.21.3 or later.