CVE-2025-13030
Published: 30 April 2026
Summary
CVE-2025-13030 is a low-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Pylixm Django-Mdeditor. Its CVSS base score is 2.0 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-13030 affects all versions of the Python package django-mdeditor, a Django extension for Markdown editing. The vulnerability is a missing authentication check for the critical image upload endpoint, classified under CWE-306 (Missing Authentication for Critical Function). This flaw allows unauthenticated access to upload files without proper filename sanitization, enabling attackers to upload malicious files that lead to arbitrary code execution. The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and privilege escalation potential.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as tricking a legitimate user into accessing a crafted link or interacting with the endpoint. By sending a malicious file to the unprotected image upload endpoint, the attacker bypasses authentication and exploits inadequate filename sanitization to achieve arbitrary code execution on the server (S:C), potentially compromising confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L).
Mitigation details are available in upstream repositories, including the vulnerable code at views.py line 25, a fixing commit (3e80f9edcabc5d2fc136b05a501964b8a5e97cfe), issue tracker discussion (#151), and pull request (#185) on the django-mdeditor GitHub. Additional analysis is provided by Snyk at SNYK-PYTHON-DJANGOMDEDITOR-8630926, recommending upgrade to a patched version where authentication and sanitization have been implemented. Security practitioners should audit deployments using django-mdeditor and apply these fixes promptly.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209593
Vulnerability details
All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of…
more
file names.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing auth on upload endpoint directly enables T1190 (public app exploitation) leading to web shell deployment for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 explicitly requires restricting critical functions like the image upload endpoint that can be performed without identification or authentication, directly addressing the missing authentication vulnerability.
SI-10 mandates validation and sanitization of inputs such as uploaded file names, preventing malicious file uploads that lead to arbitrary code execution.
AC-3 enforces approved authorizations for access to system resources, ensuring the image upload endpoint requires proper authentication and blocks unauthenticated access.