Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
DjangoBlog up to version 2.1.0.0 contains an authentication bypass vulnerability in the blog/views.py Clean Endpoint that allows remote unauthenticated attackers to trigger cache purge or data manipulation operations. The vulnerability has a CVSS score of 6.5 (medium severity) with network-accessible attack vector and low complexity; publicly available exploit code exists, and the vendor has not responded to early disclosure.
Technical ContextAI
DjangoBlog is a Django-based blogging application. The vulnerability resides in the Clean Endpoint within blog/views.py, which is likely a cache management or data cleanup function exposed via HTTP. CWE-306 indicates Missing Authentication for Critical Function, meaning a security-critical operation lacks proper authentication checks before execution. The attack vector (AV:N) and low complexity (AC:L) suggest the vulnerable endpoint is directly accessible over the network without requiring special conditions. The E:P flag in the CVSS vector indicates proof-of-concept code has been published, lowering the bar for exploitation. CPE cpe:2.3:a:liangliangyy:djangoblog:*:*:*:*:*:*:*:* indicates all versions up to and including 2.1.0.0 are affected.
RemediationAI
No vendor-released patched version has been identified at time of analysis. The vendor did not respond to early disclosure. Immediate mitigation requires disabling or restricting access to the Clean Endpoint in blog/views.py. Specific compensating controls include: (1) Remove or rename the vulnerable endpoint to prevent direct HTTP access; (2) Implement authentication middleware that wraps all cache-related endpoints, checking for valid Django session tokens before executing cache operations; (3) Restrict network access to the Clean Endpoint via WAF or firewall rules, allowing only requests from trusted administrative IP addresses; (4) Disable caching features if not critical to operations, reducing the attack surface. Organizations should also upgrade DjangoBlog as soon as a patched version is released by the vendor (monitor the official repository). In the interim, if the Clean Endpoint is not used in production, removing or disabling it entirely is the strongest mitigation with no functional side effects.
More in Djangoblog
View allMissing authentication in DjangoBlog 2.1.0.0 and prior allows remote unauthenticated attackers to inject GPS tracking da
Hard-coded Amap API key exposure in DjangoBlog allows remote attackers to abuse geolocation services without authenticat
Cross-site Scripting (XSS) - Stored in GitHub repository liangliangyy/djangoblog prior to master. Rated medium severity
DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in djangoblog/settings.py that can be exploited remotel
Liangliangyy DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in the SECRET_KEY parameter within djangob
Command injection in DjangoBlog WeChat Bot Interface allows authenticated remote attackers to execute arbitrary system c
Improper authorization in liangliangyy DjangoBlog versions up to 2.1.0.0 allows authenticated remote attackers to manipu
DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argum
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23712
GHSA-5q63-8x25-h545