Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Missing authentication in DjangoBlog 2.1.0.0 and prior allows remote unauthenticated attackers to inject GPS tracking data via the owntracks/views.py logtracks endpoint. Publicly available exploit code exists (GitHub POC). CVSS 7.3 with full network attack vector (AV:N/AC:L/PR:N/UI:N). EPSS and KEV status not provided, but POC availability indicates medium-to-high exploitation risk for internet-facing DjangoBlog instances with OwnTracks integration enabled. Vendor non-responsive to disclosure.
Technical ContextAI
DjangoBlog is a Python-based blog platform built on Django framework. The vulnerability resides in the OwnTracks integration component (owntracks/views.py), which implements location tracking functionality via the logtracks endpoint. The root cause is CWE-306 (Missing Authentication for Critical Function), meaning the endpoint accepts and processes GPS tracking data without validating the requester's identity or authorization. The affected product is identified as cpe:2.3:a:liangliangyy:djangoblog through version 2.1.0.0. OwnTracks is a privacy-focused location tracking protocol typically requiring authenticated clients, but this implementation fails to enforce authentication checks before accepting location data submissions.
RemediationAI
No vendor-released patch identified at time of analysis due to vendor non-responsiveness to disclosure. Immediate compensating controls: Disable the OwnTracks integration entirely if GPS tracking functionality is not business-critical (eliminates attack surface but removes location tracking capability). If OwnTracks must remain operational, implement reverse proxy authentication (e.g., nginx basic auth or OAuth2 proxy) in front of the /owntracks/logtracks endpoint to enforce authentication before requests reach the vulnerable Django view (adds operational complexity and may break legitimate OwnTracks clients expecting direct endpoint access). Restrict network access to the logtracks endpoint via firewall rules to trusted IP ranges only (effective for known-client scenarios but incompatible with mobile tracking use cases). Apply Web Application Firewall (WAF) rules to require valid session tokens or API keys in requests to owntracks paths (requires custom rule development and testing). Monitor for patch availability at the project's GitHub repository github.com/liangliangyy/DjangoBlog. All mitigations except disabling the feature carry risk of disrupting legitimate OwnTracks functionality and require testing against deployment-specific tracking workflows.
More in Djangoblog
View allDjangoBlog up to version 2.1.0.0 contains an authentication bypass vulnerability in the blog/views.py Clean Endpoint tha
Hard-coded Amap API key exposure in DjangoBlog allows remote attackers to abuse geolocation services without authenticat
Cross-site Scripting (XSS) - Stored in GitHub repository liangliangyy/djangoblog prior to master. Rated medium severity
DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in djangoblog/settings.py that can be exploited remotel
Liangliangyy DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in the SECRET_KEY parameter within djangob
Command injection in DjangoBlog WeChat Bot Interface allows authenticated remote attackers to execute arbitrary system c
Improper authorization in liangliangyy DjangoBlog versions up to 2.1.0.0 allows authenticated remote attackers to manipu
DjangoBlog versions up to 2.1.0.0 use a hard-coded cryptographic key in djangoblog/settings.py when the SECRET_KEY argum
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23708