CVE-2026-42346

Name of the Vulnerable Software and Affected Versions Postiz versions 2.16.6 through 2.21.6

Description Postiz is an AI social media scheduling tool. A Time-of-Check-Time-of-Use (TOCTOU) issue exists where the isSafePublicHttpsUrl() function resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can use DNS rebinding—a technique that alternates the IP address returned by a DNS query—to redirect requests to internal network addresses, leading to Server-Side Request Forgery (SSRF).

Recommendations Update to version 2.21.7.