Skip to main content

Djangoblog CVE-2026-6579

| EUVDEUVD-2026-23712 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-04-19 VulDB GHSA-5q63-8x25-h545
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 19, 2026 - 22:22 NVD
6.5 (MEDIUM) 6.9 (MEDIUM)
Analysis Generated
Apr 19, 2026 - 22:20 vuln.today
EUVD ID Assigned
Apr 19, 2026 - 22:15 euvd
EUVD-2026-23712
Analysis Generated
Apr 19, 2026 - 22:15 vuln.today
CVE Published
Apr 19, 2026 - 22:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

DjangoBlog up to version 2.1.0.0 contains an authentication bypass vulnerability in the blog/views.py Clean Endpoint that allows remote unauthenticated attackers to trigger cache purge or data manipulation operations. The vulnerability has a CVSS score of 6.5 (medium severity) with network-accessible attack vector and low complexity; publicly available exploit code exists, and the vendor has not responded to early disclosure.

Technical ContextAI

DjangoBlog is a Django-based blogging application. The vulnerability resides in the Clean Endpoint within blog/views.py, which is likely a cache management or data cleanup function exposed via HTTP. CWE-306 indicates Missing Authentication for Critical Function, meaning a security-critical operation lacks proper authentication checks before execution. The attack vector (AV:N) and low complexity (AC:L) suggest the vulnerable endpoint is directly accessible over the network without requiring special conditions. The E:P flag in the CVSS vector indicates proof-of-concept code has been published, lowering the bar for exploitation. CPE cpe:2.3:a:liangliangyy:djangoblog:*:*:*:*:*:*:*:* indicates all versions up to and including 2.1.0.0 are affected.

RemediationAI

No vendor-released patched version has been identified at time of analysis. The vendor did not respond to early disclosure. Immediate mitigation requires disabling or restricting access to the Clean Endpoint in blog/views.py. Specific compensating controls include: (1) Remove or rename the vulnerable endpoint to prevent direct HTTP access; (2) Implement authentication middleware that wraps all cache-related endpoints, checking for valid Django session tokens before executing cache operations; (3) Restrict network access to the Clean Endpoint via WAF or firewall rules, allowing only requests from trusted administrative IP addresses; (4) Disable caching features if not critical to operations, reducing the attack surface. Organizations should also upgrade DjangoBlog as soon as a patched version is released by the vendor (monitor the official repository). In the interim, if the Clean Endpoint is not used in production, removing or disabling it entirely is the strongest mitigation with no functional side effects.

Share

CVE-2026-6579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy