Cyber Resilience

CVE-2026-6577

Medium

Published: 19 April 2026

Published
19 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 28.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6577 is a medium-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-6577 is a missing authentication vulnerability affecting liangliangyy DjangoBlog versions up to 2.1.0.0. The issue resides in an unknown function within the file owntracks/views.py, part of the logtracks endpoint component. This flaw, classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), allows remote manipulation without required credentials, earning a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables unauthenticated GPS data injection via the logtracks endpoint, potentially resulting in low-level impacts to confidentiality, integrity, and availability, such as unauthorized data modification or access.

Advisories from VulDB (vuln/358212) and related submissions document the issue, noting that the vendor was contacted early but provided no response or patches. A public exploit is available in a GitHub repository detailing unauthenticated GPS data injection, increasing the risk of active misuse. Practitioners should restrict access to the logtracks endpoint or upgrade if a patch emerges.

EU & UK References

Vulnerability details

A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The exploit…

more

is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on public-facing logtracks endpoint in DjangoBlog web app directly enables remote unauthenticated exploitation, mapping to T1190: Exploit Public-Facing Application for data injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7042Shared CWE-287, CWE-306
CVE-2025-58443Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2026-6129Shared CWE-287, CWE-306
CVE-2026-5676Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306
CVE-2026-5000Shared CWE-287, CWE-306
CVE-2026-6126Shared CWE-287, CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 directly requires identifying and restricting critical functions like the logtracks endpoint that must not permit actions without identification and authentication, addressing the core missing authentication flaw.

prevent

AC-3 enforces approved access authorizations for system resources, preventing remote unauthenticated manipulation of the vulnerable logtracks endpoint.

prevent

CM-7 restricts system functionality to essentials, allowing prohibition of unnecessary endpoints like logtracks to mitigate unauthenticated access risks.

References