CVE-2026-1213

MEDIUM

Pypi Askbot < 0.12.3 - IDOR

Title source: rule

Description

All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2.

References (3)

[Various Sources] https://fluidattacks.com/advisories/ghost

[Patch] https://github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d

View Patch ZIP pw:eip

[Various Sources] https://askbot.com/

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 1.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (3)

askbot/askbot < 0.12.2

askbot/askbot 0.12.2

pypi/askbot 0 - 0.12.3PyPI

Published Jan 27, 2026

Tracked Since Feb 18, 2026