PYSEC-2026-2553

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/kiwitcms/PYSEC-2026-2553.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2553
Aliases
Published
2026-07-13T15:46:27.733373Z
Modified
2026-07-13T16:31:47.790923311Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Kiwi TCMS's /init-db/ page renders and responds to requests after first use
Details

Kiwi TCMS provides the /init-db/ page as part of its setup mechanism for administrators who prefer a browser instead of the command line. In previous versions of Kiwi TCMS this page still renders and responds to requests even after first use.

Impact

The /init-db/ page does not require any user authentication because it is the first setup operation that needs to be executed in order for Kiwi TCMS to function. Database initialization happens before there are any user accounts available!

While that looks serious at first the /init-db/ page is merely a proxy behind the /Kiwi/manage.py migrate command, which itself is designed to be reentrant. In the case of repeated access to the /init-db/ page after first use the output is:

Running migrations:
  No migrations to apply.

as shown on the screenshots below:

<img width="1911" height="992" alt="2222" src="https://github.com/user-attachments/assets/9f661c71-b305-4380-aadf-0732321b3666" />

<img width="1913" height="1020" alt="3333" src="https://github.com/user-attachments/assets/10f8553e-675d-42be-9adc-cd5613df015c" />

  • There is no data loss because migrations result in a no-op if they are already applied!
  • No application state is altered because all state changes have already been applied!
  • No confidential information revealed because database migrations only report status on migrations which are clearly visible in source code!

Remediation

The /init-db/ page has been modified to short-circuit itself if migrations have already been applied, resulting in a no-op on the webUI layer as well.

References

Affected packages

PyPI / kiwitcms

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
12.4

Affected versions

6.*
6.2.1
6.3
6.4
6.5
6.5.3
6.6
6.7
6.8
6.9
6.10
6.11
7.*
7.0
7.1
7.2
7.2.1
7.3
8.*
8.0
8.1
8.1.99
8.2
8.3
8.4
8.5
8.6
8.6.1
8.7
8.8
8.9
9.*
9.0
9.999
10.*
10.0
10.1
10.2
10.3
10.3.999
10.4
10.5
11.*
11.0
11.1
11.3
11.4
11.5
11.6
11.7
12.*
12.0
12.1
12.2
12.3
12.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/kiwitcms/PYSEC-2026-2553.yaml"