{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-48781/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-16T21:31:28.955Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-48781","@id":"https://www.cve.org/CVERecord?id=CVE-2026-48781","description":"Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user from the database. Any authenticated Postiz user could forge a SUPERADMIN session and impersonate arbitrary organizations. This allowed Full Access to the following: all parts of Postiz, including users regi"},"products":[{"@id":"cpe:2.3:a:gitroomhq:postiz-app:\\<_2.21.8:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:gitroomhq:postiz-app:\\<_2.21.8:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-16T21:31:28.955Z"}]}