CVE-2026-42298

Published: May 8, 2026Modified: Jun 1, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.

Affected (1)

Products: Gitroom: Postiz

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gitroom Postiz	Before 2.21.7

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://github.com/gitroomhq/postiz-app/commit/da448012dd87e94944cbe83a38e7fd023269ec46

Source: security-advisories@github.com

URL Repurposed

https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v975-9h5p-xhm4

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.