## https://sploitus.com/exploit?id=1F47F181-D0DE-56B5-B436-0D0EF5F195C5
# CVE-2026-XXXXX (Pending): django-summernote Arbitrary File Upload (RCE)
This repository contains a Proof of Concept (PoC) for a **Conditional Remote Code Execution (RCE)** vulnerability discovered in `django-summernote` version 0.8.20.0 (and earlier).
## Vulnerability Details
- **Product**: django-summernote
- **Version**: <= 0.8.20.0
- **Type**: Unrestricted File Upload (CWE-434)
- **Severity**: HIGH (CVSS 7.2)
- **Impact**: Remote Code Execution (RCE)
## Description
The vulnerability exists in the lack of strict dependency enforcement in `setup.py` and the fallback logic in `forms.py`.
The `django-summernote` package treats the `Pillow` library (required for strict image validation) as an optional dependency. If `Pillow` is not installed on the server, the `UploadForm` gracefully downgrades the file input field from `forms.ImageField` to the generic `forms.FileField`.
**Vulnerable Code (`forms.py`):**
```python
try:
from PIL import Image
FIELD = forms.ImageField # Validates image content
except ImportError:
FIELD = forms.FileField # Accepts ANY file type (Dangerous)
```
This behavior allows an attacker to upload arbitrary files (e.g., `.php`, `.py`, `.sh`, `.html`) instead of images, leading to **Remote Code Execution (RCE)** or XSS, as the `views.py` relies solely on form validation.
## Reproduction Steps
1. Install `django-summernote` **without** Pillow:
```bash
pip install django-summernote
pip uninstall Pillow # Ensure Pillow is gone
```
2. Run the PoC:
```bash
python3 poc.py
```
3. Expected Output:
```
[+] Verified: Pillow is NOT installed. Vulnerable logic active.
[*] Attempting to upload a Web Shell (.php)...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[!!!] VULNERABILITY SUCCESS: SHELL UPLOADED [!!!]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[+] Form Validation Passed for: exploit.php
```
## Mitigation
Users should ensure `Pillow` is installed in their environment to enforce image validation:
```bash
pip install Pillow
```
Maintainers should move `Pillow` to `install_requires` in `setup.py` or enforce `ImageField` usage hard dependency.