All errata/sisyphus/ALT-PU-2024-9959-10
ALT-PU-2024-9959-10

Package update python3-module-django in branch sisyphus

Version5.0.7-alt1
Task#352905
Published2026-04-30
Max severityCRITICAL
Severity:

Closed issues (77)

BDU:2024-01517
HIGH7.5

Уязвимость программной платформы для веб-приложений Django, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-02-22Modified: 2025-10-24
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2024-04292
HIGH7.5

Уязвимость функции django.utils.text.Truncator.words() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-05-31Modified: 2025-10-24
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2024-06892
HIGH7.5

Уязвимость функции get_supported_language_variant() программной платформы для веб-приложений Django, связанная с ошибками при обработке параметров длины, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-09-13Modified: 2025-05-06
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2024-07168
MEDIUM5.3

Уязвимость метода django.contrib.auth.backends.ModelBackend.authenticate() программной платформы для веб-приложений Django, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2024-09-18
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2024-07169
HIGH7.5

Уязвимость функции django.utils.html.urlize() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-09-18Modified: 2025-05-06
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2024-07170
MEDIUM5.5

Уязвимость функции generate_filename() класса django.core.files.storage.Storage программной платформы для веб-приложений Django, позволяющая нарушителю записывать произвольные файлы

Published: 2024-09-18Modified: 2025-05-06
CVSS 3.xMEDIUM 5.5
CVSS:3.x/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVSS 2.0MEDIUM 5.2
CVSS:2.0/AV:A/AC:L/Au:S/C:P/I:P/A:P
References
BDU:2025-06450
MEDIUM4.0

Уязвимость функции django.utils.log.log_response() программной платформы для веб-приложений Django, позволяющая нарушителю получить доступ на изменение данных в журнале

Published: 2025-06-05Modified: 2025-10-24
CVSS 3.xMEDIUM 4.0
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N
References
BDU:2025-08558
MEDIUM5.3

Уязвимость функции django.utils.html.strip_tags() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-07-16Modified: 2025-10-24
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2025-11748
HIGH7.1

Уязвимость функций annotate() и alias() программной платформы для веб-приложений Django, позволяющая нарушителю выполнить произвольный код

Published: 2025-09-26Modified: 2025-10-24
CVSS 3.xHIGH 7.1
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CVSS 2.0MEDIUM 5.6
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:P/A:N
References
BDU:2025-12461
HIGH7.1

Уязвимость методов QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() программной платформы для веб-приложений Django, позволяющая нарушителю оказать влияние на конфиденциальность и целостность защищаемой информации

Published: 2025-10-03Modified: 2025-12-26
CVSS 3.xHIGH 7.1
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CVSS 2.0MEDIUM 5.6
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:P/A:N
References
BDU:2025-12661
LOW3.1

Уязвимость функции django.utils.archive.extract() программной платформы для веб-приложений Django, позволяющая нарушителю обойти ограничения безопасности

Published: 2025-10-09Modified: 2025-11-14
CVSS 3.xLOW 3.1
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0LOW 2.1
CVSS:2.0/AV:N/AC:H/Au:S/C:N/I:P/A:N
References
BDU:2025-13913
CRITICAL9.1

Уязвимость объектов QuerySet и Q программной платформы для разработки веб-приложений Django, позволяющая нарушителю раскрыть и изменить защищаемую информацию

Published: 2025-11-10Modified: 2025-12-02
CVSS 3.xCRITICAL 9.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0CRITICAL 9.4
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N
References
BDU:2025-14003
HIGH7.5

Уязвимость функций Django.http.HttpResponseRedirect() и Django.http.HttpResponsePermanentRedirect() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-12
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-01121
HIGH7.5

Уязвимость функции django.core.serializers.xml_serializer.getInnerText() программной платформы для разработки веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-02-02Modified: 2026-03-17
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-02956
MEDIUM4.3

Уязвимость программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры запроса sql, позволяющая нарушителю выполнить произвольный код

Published: 2026-03-12
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2026-03464
MEDIUM5.3

Уязвимость программной платформы для веб-приложений Django, связанная с раскрытием информации на основании временных расхождений, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-03-23
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 4.9
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:N/A:N
References
BDU:2026-03465
HIGH7.5

Уязвимость программной платформы для веб-приложений Django, связанная с алгоритмической сложностью, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-03-23
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-03466
MEDIUM5.4

Уязвимость программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный код

Published: 2026-03-23Modified: 2026-04-27
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N
References
BDU:2026-03467
HIGH7.5

Уязвимость программной платформы для веб-приложений Django, связанная с алгоритмической сложностью, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-03-23
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-03469
MEDIUM5.4

Уязвимость программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный код

Published: 2026-03-23
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N
References
BDU:2026-05927
MEDIUM6.5

Уязвимость функции MultiPartParser() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-04-28
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C
References
CVE-2024-24680
HIGH7.5

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

Published: 2024-02-06Modified: 2025-11-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2024-27351
MEDIUM5.3

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

Published: 2024-03-15Modified: 2025-11-04
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
References
CVE-2024-38875
HIGH7.5

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.

Published: 2024-07-10Modified: 2025-11-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2024-39329
MEDIUM5.3

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

Published: 2024-07-10Modified: 2025-11-04
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2024-39330
MEDIUM4.3

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

Published: 2024-07-10Modified: 2025-11-04
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
CVE-2024-39614
HIGH7.5

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

Published: 2024-07-10Modified: 2025-11-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-13372
MEDIUM4.3

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Published: 2025-12-02Modified: 2025-12-12
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
References
CVE-2025-13473
MEDIUM5.3

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
References
CVE-2025-14550
HIGH7.5

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-32873
MEDIUM5.3

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

Published: 2025-05-08Modified: 2025-09-02
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
CVE-2025-48432
MEDIUM5.3

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

Published: 2025-06-05Modified: 2025-10-15
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
CVE-2025-57833
HIGH8.1

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

Published: 2025-09-03Modified: 2025-11-04
CVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2025-59681
CRITICAL9.8

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Published: 2025-10-01Modified: 2025-11-04
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2025-59682
MEDIUM6.5

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Published: 2025-10-01Modified: 2025-11-04
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
CVE-2025-64458
HIGH7.5

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2025-11-05Modified: 2025-11-10
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-64459
CRITICAL9.1

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Published: 2025-11-05Modified: 2025-11-10
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
CVE-2025-64460
HIGH7.5

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2025-12-02Modified: 2025-12-10
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-1207
MEDIUM5.4

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2026-1285
HIGH7.5

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-1287
MEDIUM5.4

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2026-1312
MEDIUM5.4

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2026-25673
HIGH7.5

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2026-03-03Modified: 2026-03-05
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-25674
LOW3.7

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Published: 2026-03-03Modified: 2026-03-05
CVSS 3.xLOW 3.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2026-33033
MEDIUM6.5

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-33034
HIGH7.5

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-3902
HIGH7.5

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
CVE-2026-4277
CRITICAL9.8

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2026-4292
LOW2.7

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xLOW 2.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
References
GHSA-33mw-q7rj-mjwj
LOW2.7

Django has Inefficient Algorithmic Complexity

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0LOW 2.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
References
GHSA-4rrr-2h4v-f3j9
LOW2.7

Django has Inefficient Algorithmic Complexity

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0LOW 2.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
References
GHSA-6426-9fv3-65x8
MEDIUM5.4

Django has an SQL Injection issue

Published: 2026-02-03Modified: 2026-02-13
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
GHSA-6w2r-r2m5-xq5w
HIGH7.1

Django is subject to SQL injection through its column aliases

Published: 2025-09-08Modified: 2025-11-05
CVSS 3.xHIGH 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
References
GHSA-7xr5-9hcq-chf9
MEDIUM4.0

Django Improper Output Neutralization for Logs vulnerability

Published: 2025-06-05Modified: 2025-06-10
CVSS 3.xMEDIUM 4.0
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
References
GHSA-8j24-cjrq-gr2m
MEDIUM5.3

Django has a denial-of-service possibility in strip_tags()

Published: 2025-05-08Modified: 2025-05-08
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
GHSA-933h-hp56-hf7m
HIGH7.5

Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit

Published: 2026-04-07Modified: 2026-04-08
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-9jmf-237g-qf46
HIGH8.7

Django Path Traversal vulnerability

Published: 2024-07-10Modified: 2025-11-04
CVSS 3.xHIGH 8.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0HIGH 8.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References
GHSA-f6f8-9mx6-9mx2
HIGH8.7

Django vulnerable to Denial of Service

Published: 2024-07-10Modified: 2025-11-04
CVSS 3.xHIGH 8.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0HIGH 8.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References
GHSA-frmv-pr5f-9mcr
CRITICAL9.1

Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.

Published: 2025-11-05Modified: 2025-11-27
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
GHSA-gvg8-93h5-g6qq
HIGH8.1

Django has an SQL Injection issue

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0HIGH 8.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
References
GHSA-hpr9-3m2g-3j9p
HIGH7.1

Django vulnerable to SQL injection in column aliases

Published: 2025-10-02Modified: 2025-11-05
CVSS 3.xHIGH 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
References
GHSA-mwm9-4648-f68q
HIGH8.1

Django has an SQL Injection issue

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0HIGH 8.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
References
GHSA-q95w-c7qg-hrff
LOW3.1

Django vulnerable to partial directory traversal via archives

Published: 2025-10-02Modified: 2025-11-05
CVSS 3.xLOW 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
References
GHSA-qg2p-9jwr-mmqf
HIGH8.7

Django vulnerable to Denial of Service

Published: 2024-07-10Modified: 2025-11-04
CVSS 3.xHIGH 8.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0HIGH 8.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References
GHSA-qw25-v68c-qjf3
HIGH7.5

Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows

Published: 2025-11-05Modified: 2025-11-05
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-rqw2-ghq9-44m7
MEDIUM4.3

Django is vulnerable to SQL injection in column aliases

Published: 2025-12-02Modified: 2025-12-03
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
References
GHSA-vm8q-m57g-pff3
MEDIUM5.3

Regular expression denial-of-service in Django

Published: 2024-03-16Modified: 2025-11-05
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
References
GHSA-vrcr-9hj9-jcg6
MEDIUM6.3

Django is vulnerable to DoS via XML serializer text extraction

Published: 2025-12-02Modified: 2025-12-03
CVSS 4.0MEDIUM 6.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
References
GHSA-x7q2-wr7g-xqmf
MEDIUM6.9

Django vulnerable to user enumeration attack

Published: 2024-07-10Modified: 2025-11-04
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References
GHSA-xxj9-f6rv-m3x4
HIGH8.2

Django denial-of-service attack in the intcomma template filter

Published: 2024-02-07Modified: 2025-11-05
CVSS 3.xHIGH 8.2
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0HIGH 8.2
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References