Postiz, an AI social media scheduling tool, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 2.21.3. The vulnerability exists in the GET /public/stream endpoint which accepts user-supplied URL parameters and proxies HTTP responses without proper validation. The only validation performed is checking if the URL ends with 'mp4', which can be easily bypassed by appending .mp4 as a query parameter or URL fragment. This unauthenticated vulnerability allows attackers to access internal services, cloud metadata endpoints, and other network-internal resources. The issue has been patched in version 2.21.3.