CVE-2026-42298— Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev

Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

Gitroom Postiz 代码注入漏洞

Gitroom Postiz是Gitroom开源的一个社交媒体日程安排工具。 Gitroom Postiz da44801之前版本存在代码注入漏洞，该漏洞源于构建和发布PR Docker镜像工作流中存在Pwn Request漏洞，可能导致未授权用户在Docker构建过程中执行任意代码。

N/A

N/A