CVE-2026-48799

Source
https://cve.org/CVERecord?id=CVE-2026-48799
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48799.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48799
Aliases
  • GHSA-j7rp-5mgj-qgg9
Published
2026-07-15T16:11:24.967Z
Modified
2026-07-17T03:47:05.023072820Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
Summary
Postiz: Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook
Details

Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscription identifier from the untrusted request body, allowing a low-privileged account to grant arbitrary organizations lifetime PRO subscriptions without payment. This issue is fixed in version 2.21.8.

Database specific
{
    "cwe_ids": [
        "CWE-345",
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48799.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/gitroomhq/postiz-app

Affected ranges

Type
GIT
Repo
https://github.com/gitroomhq/postiz-app
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.21.8"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.6.0
v0.*
v0.0.1
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.10.1
v1.2.0
v1.22.1
v1.23.1
v1.23.2
v1.24.1
v1.26.1
v1.27.2
v1.28.1
v1.29.1
v1.3.0
v1.30.1
v1.31.1
v1.32.1
v1.33.1
v1.33.2
v1.34.1
v1.35.1
v1.36.1
v1.37.1
v1.37.2
v1.37.3
v1.37.4
v1.38.1
v1.38.2
v1.39.2
v1.39.3
v1.4.0
v1.40.0
v1.40.1
v1.41.0
v1.41.1
v1.43.0
v1.43.1
v1.43.2
v1.43.3
v1.43.4
v1.43.5
v1.44.1
v1.44.2
v1.45.1
v1.47.0
v1.48.1
v1.48.2
v1.48.3
v1.48.4
v1.49.0
v1.49.1
v1.5.0
v1.50.0
v1.51.0
v1.52.0
v1.52.1
v1.52.2
v1.53.0
v1.54.0
v1.54.1
v1.55.0
v1.55.1
v1.55.2
v1.55.3
v1.55.4
v1.55.5
v1.56.0
v1.57.0
v1.58.0
v1.59.0
v1.6.1
v1.6.12
v1.6.2
v1.6.4
v1.6.9
v1.60.0
v1.60.1
v1.61.0
v1.61.2
v1.62.0
v1.62.1
v1.62.2
v1.62.3
v1.63.0
v1.64.0
v1.64.1
v1.65.0
v1.65.1
v1.65.2
v1.65.3
v1.65.4
v1.65.5
v1.65.6
v1.65.7
v1.7.12
v1.8.1
v2.*
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.1.1
v2.1.2
v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.11.3
v2.12.0
v2.12.1
v2.13.0
v2.14.0
v2.15.0
v2.15.1
v2.16.0
v2.17.0
v2.18.0
v2.19.0
v2.2.0
v2.2.1
v2.2.3
v2.2.4
v2.2.5
v2.20.0
v2.20.1
v2.20.2
v2.21.0
v2.21.1
v2.21.2
v2.21.3
v2.21.5
v2.21.6
v2.21.7
v2.3.0
v2.3.1
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.7.0
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48799.json"