Share
## https://sploitus.com/exploit?id=1F47F181-D0DE-56B5-B436-0D0EF5F195C5
# CVE-2026-XXXXX (Pending): django-summernote Arbitrary File Upload (RCE)

This repository contains a Proof of Concept (PoC) for a **Conditional Remote Code Execution (RCE)** vulnerability discovered in `django-summernote` version 0.8.20.0 (and earlier).

## Vulnerability Details

- **Product**: django-summernote
- **Version**: <= 0.8.20.0
- **Type**: Unrestricted File Upload (CWE-434)
- **Severity**: HIGH (CVSS 7.2)
- **Impact**: Remote Code Execution (RCE)

## Description

The vulnerability exists in the lack of strict dependency enforcement in `setup.py` and the fallback logic in `forms.py`.

The `django-summernote` package treats the `Pillow` library (required for strict image validation) as an optional dependency. If `Pillow` is not installed on the server, the `UploadForm` gracefully downgrades the file input field from `forms.ImageField` to the generic `forms.FileField`.

**Vulnerable Code (`forms.py`):**
```python
try:
    from PIL import Image
    FIELD = forms.ImageField  # Validates image content
except ImportError:
    FIELD = forms.FileField   # Accepts ANY file type (Dangerous)
```

This behavior allows an attacker to upload arbitrary files (e.g., `.php`, `.py`, `.sh`, `.html`) instead of images, leading to **Remote Code Execution (RCE)** or XSS, as the `views.py` relies solely on form validation.

## Reproduction Steps

1. Install `django-summernote` **without** Pillow:
   ```bash
   pip install django-summernote
   pip uninstall Pillow  # Ensure Pillow is gone
   ```

2. Run the PoC:
   ```bash
   python3 poc.py
   ```

3. Expected Output:
   ```
   [+] Verified: Pillow is NOT installed. Vulnerable logic active.
   [*] Attempting to upload a Web Shell (.php)...
   
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   [!!!] VULNERABILITY SUCCESS: SHELL UPLOADED [!!!]
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   [+] Form Validation Passed for: exploit.php
   ```

## Mitigation

Users should ensure `Pillow` is installed in their environment to enforce image validation:
```bash
pip install Pillow
```
Maintainers should move `Pillow` to `install_requires` in `setup.py` or enforce `ImageField` usage hard dependency.