top of page
perceptive_background_267k.jpg

All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload …

Published:

29 April 2026 at 22:00:00

Alert date:

30 April 2026 at 07:00:50

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

All versions of the django-mdeditor package are vulnerable to missing authentication for critical function in the image upload endpoint. The vulnerability allows attackers to upload malicious files without authentication and achieve arbitrary code execution. The endpoint lacks proper authentication protection and file name sanitization. This affects all versions of the package and has been assigned CVE-2025-13030. The vulnerability enables remote code execution through malicious file uploads.

Technical details

Mitigation steps:

Affected products:

django-mdeditor

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-13030
https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py#L25
https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfe
https://github.com/pylixm/django-mdeditor/issues/151
https://github.com/pylixm/django-mdeditor/pull/185
https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page