Cyber Resilience

CVE-2025-13030

Low

Published: 30 April 2026

Published
30 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 2.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.6th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2025-13030 is a low-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Pylixm Django-Mdeditor. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-13030 affects all versions of the Python package django-mdeditor, a Django extension for Markdown editing. The vulnerability is a missing authentication check for the critical image upload endpoint, classified under CWE-306 (Missing Authentication for Critical Function). This flaw allows unauthenticated access to upload files without proper filename sanitization, enabling attackers to upload malicious files that lead to arbitrary code execution. The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and privilege escalation potential.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as tricking a legitimate user into accessing a crafted link or interacting with the endpoint. By sending a malicious file to the unprotected image upload endpoint, the attacker bypasses authentication and exploits inadequate filename sanitization to achieve arbitrary code execution on the server (S:C), potentially compromising confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L).

Mitigation details are available in upstream repositories, including the vulnerable code at views.py line 25, a fixing commit (3e80f9edcabc5d2fc136b05a501964b8a5e97cfe), issue tracker discussion (#151), and pull request (#185) on the django-mdeditor GitHub. Additional analysis is provided by Snyk at SNYK-PYTHON-DJANGOMDEDITOR-8630926, recommending upgrade to a patched version where authentication and sanitization have been implemented. Security practitioners should audit deployments using django-mdeditor and apply these fixes promptly.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of…

more

file names.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Missing auth on upload endpoint directly enables T1190 (public app exploitation) leading to web shell deployment for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-34434Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306
CVE-2025-58083Shared CWE-306

Affected Assets

pylixm
django-mdeditor
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly requires restricting critical functions like the image upload endpoint that can be performed without identification or authentication, directly addressing the missing authentication vulnerability.

prevent

SI-10 mandates validation and sanitization of inputs such as uploaded file names, preventing malicious file uploads that lead to arbitrary code execution.

prevent

AC-3 enforces approved authorizations for access to system resources, ensuring the image upload endpoint requires proper authentication and blocks unauthenticated access.

References