CVE Catalog

CVE-2026-48781

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, an attacker could exploit a vulnerability in the Skool integration to forge a SUPERADMIN session, allowing impersonation of arbitrary organizations.

Risk Assessment

This vulnerability allows full access to all parts of Postiz, including user data and the ability to post on behalf of victims on their social media channels.

Recommendation

It is recommended to upgrade to version 2.21.8 or later to secure the application against this type of attack.

Original NVD description (English source)

Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users registered to the specific instance and the ability to post in the name of the victim's social media channels added to that Postiz instance. This issue has been fixed in version 2.21.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS