High severity7.1NVD Advisory· Published Apr 30, 2026· Updated May 5, 2026

CVE-2025-13030

Description

All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
django-mdeditorPyPI	<= 0.1.20	—

Affected products

Pylixm/Django Mdeditorreferences2 versions
(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:pylixm:django-mdeditor:*:*:*:*:*:*:*:*

Patches

3e80f9edcabc

Merge pull request #185 from lenoctambule/master

https://github.com/pylixm/django-mdeditorDeanWuJun 25, 2025via ghsa

commit PR #185

5 files changed · +24 −2

mdeditor/configs.py+1 −0 modified

@@ -17,6 +17,7 @@
     'upload_image_formats': ["jpg", "JPG", "jpeg", "JPEG", "gif", "GIF", "png",
                              "PNG", "bmp", "BMP", "webp", "WEBP"],
     'upload_image_url': '/mdeditor/uploads/',
+    'upload_require_auth' : False,
     'image_folder': 'editor',
     'theme': 'default',  # dark / default
     'preview_theme': 'default',  # dark / default

mdeditor/views.py+19 −1 modified

@@ -8,11 +8,11 @@
 from django.views.decorators.csrf import csrf_exempt
 from django.utils.decorators import method_decorator
 from .configs import MDConfig
+from PIL import Image
 
 # TODO 此处获取default配置，当用户设置了其他配置时，此处无效，需要进一步完善
 MDEDITOR_CONFIGS = MDConfig('default')
 
-
 class UploadView(generic.View):
     """ upload image file """
 
@@ -23,6 +23,15 @@ def dispatch(self, *args, **kwargs):
     def post(self, request, *args, **kwargs):
         upload_image = request.FILES.get("editormd-image-file", None)
         media_root = settings.MEDIA_ROOT
+        upload_require_auth = MDEDITOR_CONFIGS.get('upload_require_auth', False)
+
+        # Check if user is authenticated if it is required
+        if upload_require_auth and not request.user.is_authenticated :
+            return JsonResponse({
+                'success' : 0,
+                'message': "Authentication required.",
+                'url': ""
+            })
 
         # image none check
         if not upload_image:
@@ -44,6 +53,15 @@ def post(self, request, *args, **kwargs):
                 'url': ""
             })
 
+        try :
+            Image.open(upload_image)
+        except :
+            return JsonResponse({
+                'success': 0,
+                'message': "File format not recognized.",
+                'url': ""
+            })
+
         # image floder check
         file_path = os.path.join(media_root, MDEDITOR_CONFIGS['image_folder'])
         if not os.path.exists(file_path):

README_CN.md+2 −1 modified

@@ -201,7 +201,8 @@ MDEDITOR_CONFIGS = {
                 "emoji", "html-entities", "pagebreak", "goto-line", "|",
                 "help", "info",
                 "||", "preview", "watch", "fullscreen"],  # 自定义编辑框工具栏
-    'upload_image_formats': ["jpg", "jpeg", "gif", "png", "bmp", "webp"],  # 图片上传格式类型
+    'upload_image_formats': ["jpg", "jpeg", "gif", "png", "bmp", "webp"],  # 图片上传格式类型,
+    'upload_require_auth' : False, # TODO: Translation needed here
     'image_folder': 'editor',  # 图片保存文件夹名称
     'theme': 'default',  # 编辑框主题 ，dark / default
     'preview_theme': 'default',  # 预览区域主题， dark / default

README.md+1 −0 modified

@@ -196,6 +196,7 @@ MDEDITOR_CONFIGS = {
                     "help", "info",
                     "||", "preview", "watch", "fullscreen"],  # custom edit box toolbar 
         'upload_image_formats': ["jpg", "jpeg", "gif", "png", "bmp", "webp"],  # image upload format type
+        'upload_require_auth' : False, # image upload authentication requirement
         'image_folder': 'editor',  # image save the folder name
         'theme': 'default',  # edit box theme, dark / default
         'preview_theme': 'default',  # Preview area theme, dark / default

requirements.txt+1 −0 modified

@@ -2,3 +2,4 @@ asgiref==3.5.0
 Django==4.0.3
 mistune==2.0.3
 sqlparse==0.4.2
+Pillow==9.3.0
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfenvdPatchWEB
github.com/advisories/GHSA-qp2c-xqv6-phh6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-13030ghsaADVISORY
security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926nvdThird Party AdvisoryWEB
github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%23L25nvdBroken LinkWEB
github.com/pylixm/django-mdeditor/issues/151nvdIssue TrackingWEB
github.com/pylixm/django-mdeditor/pull/185nvdIssue TrackingWEB

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000