All errata/sisyphus/ALT-PU-2026-3199-3
ALT-PU-2026-3199-3

Package update python3-module-django in branch sisyphus

Version5.2.11-alt1
Task#408645
Published2026-03-24
Max severityHIGH
Severity:

Closed issues (17)

BDU:2026-03464
MEDIUM5.3

Уязвимость программной платформы для веб-приложений Django, связанная с раскрытием информации на основании временных расхождений, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-03-23
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 4.9
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:N/A:N
References
BDU:2026-03465
HIGH7.5

Уязвимость программной платформы для веб-приложений Django, связанная с алгоритмической сложностью, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-03-23
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-03466
MEDIUM5.4

Уязвимость программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный код

Published: 2026-03-23Modified: 2026-04-27
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N
References
BDU:2026-03467
HIGH7.5

Уязвимость программной платформы для веб-приложений Django, связанная с алгоритмической сложностью, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-03-23Modified: 2026-05-06
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-03469
MEDIUM5.4

Уязвимость программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный код

Published: 2026-03-23
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N
References
CVE-2025-13473
MEDIUM5.3

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
References
CVE-2025-14550
HIGH7.5

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-1207
MEDIUM5.4

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2026-1285
HIGH7.5

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-1287
MEDIUM5.4

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2026-1312
MEDIUM5.4

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
GHSA-33mw-q7rj-mjwj
LOW2.7

Django has Inefficient Algorithmic Complexity

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0LOW 2.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
References
GHSA-4rrr-2h4v-f3j9
LOW2.7

Django has Inefficient Algorithmic Complexity

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0LOW 2.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
References
GHSA-6426-9fv3-65x8
MEDIUM5.4

Django has an SQL Injection issue

Published: 2026-02-03Modified: 2026-02-13
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
GHSA-gvg8-93h5-g6qq
HIGH8.1

Django has an SQL Injection issue

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0HIGH 8.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
References
GHSA-mwm9-4648-f68q
HIGH8.1

Django has an SQL Injection issue

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0HIGH 8.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
References