CVE-2025-13030: django-mdeditor Vulnerable to Code Execution via Image Upload
A critical vulnerability, CVE-2025-13030, has been identified in all versions of the django-mdeditor package. The National Vulnerability Database reports this as a Missing Authentication for Critical Function, specifically impacting the image upload endpoint. This lapse in security means the endpoint lacks proper authentication and sufficient sanitization of uploaded file names.
This flaw allows an attacker to upload malicious files without any authentication. The direct consequence is arbitrary code execution, a severe impact given the ease of exploitation. The National Vulnerability Database has assigned a CVSS score of 7.1 (High) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, underscoring the remote, low-complexity nature of the attack and its potential for broad impact.
For defenders, this is a straightforward RCE vector. The attacker’s calculus is simple: find an exposed django-mdeditor instance and upload a web shell. CISOs must prioritize this as a critical patch. The lack of authentication and poor file name sanitization are fundamental security missteps that directly enable severe compromise.
What This Means For You
- If your organization uses the `django-mdeditor` package, you are directly exposed to unauthenticated remote code execution. Immediately identify all instances running this package and apply any available patches or implement strict access controls and file upload validation as a mitigating control. Audit logs for suspicious file uploads.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2025-13030: django-mdeditor Unauthenticated Image Upload for Code Execution
title: CVE-2025-13030: django-mdeditor Unauthenticated Image Upload for Code Execution
id: scw-2026-04-30-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2025-13030 by targeting the unauthenticated image upload endpoint in django-mdeditor. This endpoint is vulnerable to code execution due to missing authentication and improper filename sanitization, allowing attackers to upload malicious files.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2025-13030/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/mdeditor/upload/'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-13030 | RCE | django-mdeditor package, all versions |
| CVE-2025-13030 | Missing Authentication | django-mdeditor image upload endpoint |
| CVE-2025-13030 | Code Injection | Lack of proper sanitisation of file names in django-mdeditor image upload endpoint |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 30, 2026 at 09:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6521 — Denial of Service
CVE-2026-6521 — OpenFlow v5 protocol dissector infinite loops in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVE-2026-6520 — Denial of Service
CVE-2026-6520 — OpenFlow v6 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVE-2026-6519 — Denial of Service
CVE-2026-6519 — MBIM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service