Back to overview

CVE-2026-13014

CRITICAL
9.2
CVSS 4.0
Description
A vulnerability in Thales CERT "Suspicious" application =< 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files, cron inputs, and runtime artifacts—leading to a persistent denial of service, the potential compromise of application secrets or integrations, and root-level execution inside the Django application container. This vulnerability has been names "Matryoshka Mail". Thales PSIRT acknowledges and thanks Lucien Doustaly (aka wlayzz) for discovering and reporting this issue.

Metadata

CVE ID
CVE-2026-13014
State
PUBLISHED
Assigner
THA-PSIRT
Reserved
2026-06-23 15:40 UTC
Published
2026-07-13 09:42 UTC
Last updated
2026-07-13 14:07 UTC
Primary CWE
CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product
Thales CERT / Suspicious
Sources
cve.org  ·  NVD

Severity & Metrics

9.2 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Thales CERT Suspicious v1.2.0 ≤ v1.3.4
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-73 cna CWE-73 External control of file name or path
CWE-94 cna CWE-94 Improper Control of Generation of Code
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.2 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview