CVE-2025-13030

HIGH 7.1

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names.

CWE	CWE-306
Vendor	n/a
Product	django-mdeditor
Published	Apr 30, 2026

Stay Ahead of the Next One

Get instant alerts for n/a django-mdeditor

Be the first to know when new high vulnerabilities affecting n/a django-mdeditor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

n/a / django-mdeditor

0 < *

References

NVD ↗ CVE.org ↗ EPSS Data ↗

security.snyk.io: https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926 github.com: https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%23L25 github.com: https://github.com/pylixm/django-mdeditor/issues/151 github.com: https://github.com/pylixm/django-mdeditor/pull/185 github.com: https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfe

Credits

Jeager Coder