Description
All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names.
Published: 2026-04-30
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to upload files to the image upload endpoint of django-mdeditor without any authentication checks or proper sanitization. As a result, an attacker can upload malicious files that may be executed or processed by the application, leading to arbitrary code execution. The weakness is identified as Missing Authentication for a Critical Function (CWE-306).

Affected Systems

All published releases of the django-mdeditor package, which is commonly used as a Markdown editor for Django projects, are affected. No specific version boundaries are given; therefore any installation of django-mdeditor should be considered potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via the web‑based image upload endpoint that accepts user‑supplied files. An attacker who can reach the upload URL does not need credentials to exploit the flaw.

Generated by OpenCVE AI on April 30, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Limit access to the image upload endpoint to authenticated users only, or remove the endpoint entirely if it is not required.
  • Implement strict validation of uploaded files, including safe filename handling and restricting allowed file types to only those required for the application.
  • Monitor the upload directory for unexpected or suspicious file uploads and establish alerting or automated cleanup procedures.

Generated by OpenCVE AI on April 30, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unauthenticated Image Upload in django-mdeditor

Thu, 30 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names.
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:P'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-04-30T15:21:40.068Z

Reserved: 2025-11-11T15:24:50.891Z

Link: CVE-2025-13030

cve-icon Vulnrichment

Updated: 2026-04-30T15:18:13.659Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T06:16:14.860

Modified: 2026-04-30T15:48:26.580

Link: CVE-2025-13030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:00:22Z

Weaknesses