Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 15 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Gitroomhq
Gitroomhq postiz-app |
|
| Vendors & Products |
Gitroomhq
Gitroomhq postiz-app |
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscription identifier from the untrusted request body, allowing a low-privileged account to grant arbitrary organizations lifetime PRO subscriptions without payment. This issue is fixed in version 2.21.8. | |
| Title | Postiz: Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook | |
| Weaknesses | CWE-345 CWE-639 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T18:01:49.289Z
Reserved: 2026-05-22T20:18:20.366Z
Link: CVE-2026-48799
Updated: 2026-07-15T18:01:45.596Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:00:06Z