CVE-2026-40487
Published: 18 April 2026
Summary
CVE-2026-40487 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitroom Postiz. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the file upload validation bypass by requiring comprehensive validation of uploaded file content and types beyond spoofed Content-Type headers.
Mitigates stored XSS by filtering output of served files to neutralize executable HTML, SVG, or script content.
Provides malicious code protection mechanisms to scan and block dangerous executable files or XSS payloads during upload.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a file upload bypass in a public-facing web application that enables delivery of malicious HTML/SVG/JS content resulting in stored XSS and arbitrary JavaScript execution in victim browsers, directly mapping to T1190 (exploiting the public-facing app) and T1059.007 (abusing JavaScript for execution).
NVD Description
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The…
more
uploaded files are then served by nginx with a Content-Type derived from their original extension (`text/html`, `image/svg+xml`), enabling Stored Cross-Site Scripting (XSS) in the context of the application's origin. This can lead to session riding, account takeover, and full compromise of other users' accounts. Version 2.21.6 contains a fix.
Deeper analysisAI
CVE-2026-40487 is a file upload validation bypass vulnerability in Postiz, an AI social media scheduling tool, affecting versions prior to 2.21.6. The flaw allows authenticated users to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the Content-Type header. These uploaded files are served by nginx with a Content-Type derived from their original file extension, such as text/html or image/svg+xml, enabling stored Cross-Site Scripting (XSS) in the context of the application's origin. The vulnerability is associated with CWEs-79 (XSS), CWE-345 (insufficient verification of data authenticity), and CWE-434 (unrestricted upload of files with dangerous type), and carries a CVSS v3.1 base score of 8.9 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L).
Any authenticated user with low privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction. Attackers can upload malicious files that, when viewed or accessed by other users, execute JavaScript in the application's origin context. This enables session riding, account takeover, and full compromise of other users' accounts through the resulting stored XSS.
The GitHub security advisory (GHSA-44wg-r34q-hvfx) and release notes for version 2.21.6 confirm that updating to Postiz v2.21.6 resolves the issue by addressing the file upload validation bypass.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai