CVE-2025-13030CRITICAL 9.8EPSS p22.3%

CVE-2025-13030CVE-2025-13030

Description

All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.31% probability of exploitation · percentile 22.3% · 2026-06-18T12:00:27Z
Published2026-04-30
Last modified2026-05-05

Underlying weaknesses· 1

CWE-306

References

  1. https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%23L25
  2. https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfe
  3. https://github.com/pylixm/django-mdeditor/issues/151
  4. https://github.com/pylixm/django-mdeditor/pull/185
  5. https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-11621
CVE
CVE-2025-3115
CVE
CVE-2024-11404
CVE
CVE-2025-13329
CVE
CVE-2025-12153
CVE
CVE-2025-9112
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.