CVE-2026-13014

Thales CERT · Suspicious

Thales CERT "Suspicious" versions 1.2.0-1.3.4 contain a path traversal and code injection vulnerability ("Matryoshka Mail") allowing unauthenticated remote code execution.

Executive summary

An unauthenticated remote code execution vulnerability in Thales CERT "Suspicious" allows attackers to overwrite critical files and gain root access inside the application container.

Vulnerability

This vulnerability (CWE-22, CWE-73, CWE-94) allows an unauthenticated attacker to perform path traversal and arbitrary file overwriting. By manipulating file paths, an attacker can overwrite configuration files or Python modules, ultimately resulting in root-level code execution within the Django application container.

Business impact

Assessed at a 9.2 CVSS score, this vulnerability represents a severe threat to the integrity and availability of the "Suspicious" application. Successful exploitation could lead to the theft of application secrets, permanent service denial, and total compromise of the affected containerized environment.

Remediation

Immediate Action: Upgrade the Thales CERT Suspicious application to version v1.3.5 immediately.

Proactive Monitoring: Review application logs for path manipulation attempts (e.g., ../ sequences) and check for unexpected modifications to application source files or configuration artifacts.

Compensating Controls: Restrict network access to the application to trusted IP ranges only and ensure the container runs with the least-privilege principle applied to the filesystem.

Exploitation status

Public Exploit Available: No (Exploit_available: unknown)

Analyst recommendation

Given the ease of exploitation and the critical nature of the impact, organizations should move to update to v1.3.5 as their highest priority. Failure to patch leaves the application and the underlying container host highly vulnerable to remote exploitation.