{"id":"PYSEC-2026-1193","summary":"askbot inexhaustive permissions check allows any user to modify a different user's profile picture","details":"All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2.","aliases":["CVE-2026-1213","GHSA-r2jv-fwfr-4j8c"],"modified":"2026-07-07T17:47:11.581570396Z","published":"2026-07-07T16:03:20.731805Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1213"},{"type":"WEB","url":"https://github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d"},{"type":"WEB","url":"https://askbot.com"},{"type":"WEB","url":"https://fluidattacks.com/advisories/ghost"},{"type":"PACKAGE","url":"https://github.com/askbot/askbot-devel"},{"type":"PACKAGE","url":"https://pypi.org/project/askbot"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-r2jv-fwfr-4j8c"}],"affected":[{"package":{"name":"askbot","ecosystem":"PyPI","purl":"pkg:pypi/askbot"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.12.3"}]}],"versions":["0.10.0","0.10.1","0.10.2","0.10.3","0.11.0","0.11.1","0.11.2","0.11.3","0.11.4","0.11.5","0.11.7","0.11.8","0.12.0","0.12.1","0.12.2","0.6.0","0.6.1","0.6.10","0.6.11","0.6.12","0.6.13","0.6.14","0.6.15","0.6.16","0.6.17","0.6.18","0.6.19","0.6.2","0.6.20","0.6.21","0.6.22","0.6.23","0.6.24","0.6.25","0.6.26","0.6.27","0.6.28","0.6.29","0.6.3","0.6.30","0.6.31","0.6.32","0.6.33","0.6.34","0.6.35","0.6.36","0.6.37","0.6.38","0.6.39","0.6.4","0.6.40","0.6.41","0.6.42","0.6.43","0.6.44","0.6.45","0.6.46","0.6.47","0.6.48","0.6.49","0.6.5","0.6.50","0.6.51","0.6.52","0.6.53","0.6.54","0.6.55","0.6.56","0.6.57","0.6.58","0.6.59","0.6.6","0.6.60","0.6.61","0.6.62","0.6.63","0.6.64","0.6.65","0.6.66","0.6.67","0.6.68","0.6.69","0.6.7","0.6.70","0.6.71","0.6.72","0.6.73","0.6.74","0.6.75","0.6.76","0.6.77","0.6.78","0.6.79","0.6.8","0.6.80","0.6.81","0.6.82","0.6.83","0.6.84","0.6.85","0.6.86","0.6.87","0.6.88","0.6.89","0.6.9","0.6.90","0.6.91","0.6.92","0.6.93","0.6.94","0.6.95","0.6.97","0.6.98","0.6.99","0.7.0","0.7.1","0.7.10","0.7.11","0.7.12","0.7.13","0.7.14","0.7.15","0.7.16","0.7.17","0.7.18","0.7.19","0.7.20","0.7.21","0.7.22","0.7.23","0.7.24","0.7.25","0.7.26","0.7.27","0.7.28","0.7.29","0.7.3","0.7.30","0.7.31","0.7.32","0.7.33","0.7.34","0.7.36","0.7.37","0.7.38","0.7.39","0.7.40","0.7.41","0.7.42","0.7.43","0.7.44","0.7.45","0.7.46","0.7.47","0.7.48","0.7.49","0.7.5","0.7.50","0.7.52","0.7.53","0.7.54","0.7.55","0.7.56","0.7.57","0.7.58","0.7.59","0.7.6","0.7.7","0.7.8","0.7.9","0.8.0","0.8.1","0.8.2","0.8.3","0.9.0","0.9.1","0.9.2","0.9.3","0.9.4"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/askbot/PYSEC-2026-1193.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}