CVE-2026-13014
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-13014, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Thales Group

Description

A vulnerability in Thales CERT "Suspicious" application =< 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files, cron inputs, and runtime artifacts—leading to a persistent denial of service, the potential compromise of application secrets or integrations, and root-level execution inside the Django application container. This vulnerability has been names "Matryoshka Mail". Thales PSIRT acknowledges and thanks Lucien Doustaly (aka wlayzz) for discovering and reporting this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
thales certain_suspicious_application to 1.3.4 (exc)
thales suspicious to 1.3.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13014 is a critical vulnerability in the Thales CERT "Suspicious" application versions up to 1.3.4 that allows a remote and unauthenticated attacker to execute arbitrary code within a Django application container.

The flaw arises from improper handling of nested attachments, which enables path traversal and code injection attacks. This allows the attacker to overwrite writable application files such as Python modules, configuration files, cron inputs, and runtime artifacts.

Exploitation can lead to persistent denial of service, compromise of application secrets or integrations, and root-level execution inside the container.

Impact Analysis

This vulnerability can have severe impacts including persistent denial of service and full system compromise within the affected application container.

An attacker can overwrite critical files such as Python modules and configuration files, potentially compromising application secrets and integrations.

In environments using Docker, exploitation grants the attacker root-level access inside the container, significantly increasing the risk and impact.

Detection Guidance

This vulnerability affects the "suspicious" package versions up to 1.3.4 and involves remote code execution via path traversal and code injection. Detection can focus on identifying the vulnerable version and signs of exploitation such as unexpected file modifications or suspicious cron inputs.

  • Check the installed version of the suspicious package to confirm if it is <= 1.3.4.
  • Use commands like `pip show suspicious` or check the package version in your environment.
  • Search for unexpected changes in Python modules, configuration files, or cron inputs within the Django application container.
  • Monitor logs for unusual activity or errors related to nested attachments or file writes.
Mitigation Strategies

The primary mitigation step is to upgrade the suspicious package to version 1.3.5 or later, where the vulnerability is patched.

  • Update the suspicious package using your package manager, for example: `pip install --upgrade suspicious`.
  • Review and restrict file permissions within the Django application container to limit the impact of potential exploitation.
  • Monitor and audit cron inputs and configuration files for unauthorized changes.
  • Consider isolating the Django application container and applying network-level restrictions to reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart