CVE-2026-16213
Received Received - Intake

Cleartext Password Storage in Django-Blog-Zinnia

Vulnerability report for CVE-2026-16213, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A security flaw has been discovered in Fantomas42 django-blog-zinnia up to 0.20. Affected by this vulnerability is an unknown functionality of the file zinnia/views/mixins/entry_protection.py of the component Protected Entry Password Handler. The manipulation results in cleartext storage of sensitive information. The attack needs to be approached locally. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fantomas42 django-blog-zinnia to 0.20 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-310 Cryptographic Issues

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the storage of protected entry passwords in plaintext within Django session data in the django-blog-zinnia application up to version 0.20. The flaw occurs in the file zinnia/views/mixins/entry_protection.py where the raw password is stored directly in the session after a visitor unlocks an entry. This allows sensitive information to be exposed if session data is compromised through logs, backups, or database access.

Detection Guidance

Check Django session data for plaintext passwords in zinnia/views/mixins/entry_protection.py. Inspect session storage files or database entries for stored passwords. Look for entries in logs or backups that may contain raw passwords.

Impact Analysis

If you use django-blog-zinnia up to version 0.20, an attacker with access to session data could retrieve plaintext passwords for protected entries. This risk is higher in deployments where session storage is accessible, such as client-side readable sessions or exposed session storage. The vulnerability requires local access to exploit.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR and HIPAA due to the cleartext storage of sensitive information. GDPR requires protection of personal data, and HIPAA mandates safeguards for protected health information. Storing passwords in plaintext violates these standards, increasing the risk of data breaches and regulatory penalties.

Mitigation Strategies

Stop storing raw passwords in session data. Replace with a secure marker or digest. Update the code in entry_protection.py to avoid plaintext storage. Invalidate existing sessions if passwords were exposed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart