CVE-2025-13030
CVE-2025-13030
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
30 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:P
Affected products
n/a · django-mdeditorReferences
https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%23L25https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfehttps://github.com/pylixm/django-mdeditor/issues/151https://github.com/pylixm/django-mdeditor/pull/185https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926