CVE-2026-13014
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
A vulnerability in Thales CERT "Suspicious" application =< 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files, cron inputs, and runtime artifacts—leading to a persistent denial of service, the potential compromise of application secrets or integrations, and root-level execution inside the Django application container. This vulnerability has been names "Matryoshka Mail". Thales PSIRT acknowledges and thanks
Lucien Doustaly (aka wlayzz) for discovering and reporting this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Thales CERT | Suspicious | v1.2.0 <= v1.3.4 | affected |
Weaknesses
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-73: CWE-73 External control of file name or path
- CWE-94: CWE-94 Improper Control of Generation of Code
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.