Skip to main content

Djangoblog CVE-2026-6577

| EUVDEUVD-2026-23708 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-04-19 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 19, 2026 - 20:22 NVD
HIGH MEDIUM
CVSS changed
Apr 19, 2026 - 20:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 19, 2026 - 20:06 vuln.today
EUVD ID Assigned
Apr 19, 2026 - 20:00 euvd
EUVD-2026-23708
Analysis Generated
Apr 19, 2026 - 20:00 vuln.today
CVE Published
Apr 19, 2026 - 19:30 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Missing authentication in DjangoBlog 2.1.0.0 and prior allows remote unauthenticated attackers to inject GPS tracking data via the owntracks/views.py logtracks endpoint. Publicly available exploit code exists (GitHub POC). CVSS 7.3 with full network attack vector (AV:N/AC:L/PR:N/UI:N). EPSS and KEV status not provided, but POC availability indicates medium-to-high exploitation risk for internet-facing DjangoBlog instances with OwnTracks integration enabled. Vendor non-responsive to disclosure.

Technical ContextAI

DjangoBlog is a Python-based blog platform built on Django framework. The vulnerability resides in the OwnTracks integration component (owntracks/views.py), which implements location tracking functionality via the logtracks endpoint. The root cause is CWE-306 (Missing Authentication for Critical Function), meaning the endpoint accepts and processes GPS tracking data without validating the requester's identity or authorization. The affected product is identified as cpe:2.3:a:liangliangyy:djangoblog through version 2.1.0.0. OwnTracks is a privacy-focused location tracking protocol typically requiring authenticated clients, but this implementation fails to enforce authentication checks before accepting location data submissions.

RemediationAI

No vendor-released patch identified at time of analysis due to vendor non-responsiveness to disclosure. Immediate compensating controls: Disable the OwnTracks integration entirely if GPS tracking functionality is not business-critical (eliminates attack surface but removes location tracking capability). If OwnTracks must remain operational, implement reverse proxy authentication (e.g., nginx basic auth or OAuth2 proxy) in front of the /owntracks/logtracks endpoint to enforce authentication before requests reach the vulnerable Django view (adds operational complexity and may break legitimate OwnTracks clients expecting direct endpoint access). Restrict network access to the logtracks endpoint via firewall rules to trusted IP ranges only (effective for known-client scenarios but incompatible with mobile tracking use cases). Apply Web Application Firewall (WAF) rules to require valid session tokens or API keys in requests to owntracks paths (requires custom rule development and testing). Monitor for patch availability at the project's GitHub repository github.com/liangliangyy/DjangoBlog. All mitigations except disabling the feature carry risk of disrupting legitimate OwnTracks functionality and require testing against deployment-specific tracking workflows.

Share

CVE-2026-6577 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy