All errata/p11/ALT-PU-2026-8405-3
ALT-PU-2026-8405-3

Package update python3-module-django in branch p11

Version5.2.14-alt1
Task#419270
Published2026-06-04
Max severityCRITICAL
Severity:

Closed issues (65)

BDU:2025-11748
HIGH7.1

Уязвимость функций annotate() и alias() программной платформы для веб-приложений Django, позволяющая нарушителю выполнить произвольный код

Published: 2025-09-25Modified: 2025-10-23
CVSS 3.xHIGH 7.1
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CVSS 2.0MEDIUM 5.6
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:P/A:N
References
BDU:2025-12461
HIGH7.1

Уязвимость методов QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() программной платформы для веб-приложений Django, позволяющая нарушителю оказать влияние на конфиденциальность и целостность защищаемой информации

Published: 2025-10-02Modified: 2025-12-25
CVSS 3.xHIGH 7.1
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CVSS 2.0MEDIUM 5.6
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:P/A:N
References
BDU:2025-12661
LOW3.1

Уязвимость функции django.utils.archive.extract() программной платформы для веб-приложений Django, позволяющая нарушителю обойти ограничения безопасности

Published: 2025-10-08Modified: 2025-11-13
CVSS 3.xLOW 3.1
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0LOW 2.1
CVSS:2.0/AV:N/AC:H/Au:S/C:N/I:P/A:N
References
BDU:2025-13913
CRITICAL9.1

Уязвимость объектов QuerySet и Q программной платформы для разработки веб-приложений Django, позволяющая нарушителю раскрыть и изменить защищаемую информацию

Published: 2025-11-09Modified: 2025-12-01
CVSS 3.xCRITICAL 9.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0CRITICAL 9.4
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N
References
BDU:2025-14003
HIGH7.5

Уязвимость функций Django.http.HttpResponseRedirect() и Django.http.HttpResponsePermanentRedirect() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-11
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-01121
HIGH7.5

Уязвимость функции django.core.serializers.xml_serializer.getInnerText() программной платформы для разработки веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-02-01Modified: 2026-05-25
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-02956
MEDIUM4.3

Уязвимость программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры запроса sql, позволяющая нарушителю выполнить произвольный код

Published: 2026-03-11
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2026-03464
MEDIUM5.3

Уязвимость программной платформы для веб-приложений Django, связанная с раскрытием информации на основании временных расхождений, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-03-22
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 4.9
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:N/A:N
References
BDU:2026-03465
HIGH7.5

Уязвимость программной платформы для веб-приложений Django, связанная с алгоритмической сложностью, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-03-22
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-03466
MEDIUM5.4

Уязвимость программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный код

Published: 2026-03-22Modified: 2026-04-26
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N
References
BDU:2026-03467
HIGH7.5

Уязвимость программной платформы для веб-приложений Django, связанная с алгоритмической сложностью, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-03-22Modified: 2026-05-25
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-03469
MEDIUM5.4

Уязвимость программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный код

Published: 2026-03-22
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N
References
BDU:2026-05927
MEDIUM6.5

Уязвимость функции MultiPartParser() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-04-27Modified: 2026-05-27
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C
References
BDU:2026-07722
HIGH7.5

Уязвимость компонента ASGI программной платформы для веб-приложений Django, позволяющая нарушителю проводить спуфинг-атаки

Published: 2026-06-02
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:N
References
BDU:2026-07723
CRITICAL9.8

Уязвимость класса GenericInlineModelAdmin фреймворка для веб-разработки Django, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-06-02
CVSS 3.xCRITICAL 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2026-07724
LOW2.7

Уязвимость фреймворка для веб-разработки Django, связанная с недостатками процедуры авторизации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-06-02
CVSS 3.xLOW 2.7
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N
References
BDU:2026-07725
HIGH7.5

Уязвимость механизма обработки ASGI-запросов программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-06-02
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2026-07736
LOW3.7

Уязвимость программной платформы для веб-приложений Django, связанная с ошибками синхронизации при использовании общего ресурса, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-06-02
CVSS 3.xLOW 3.7
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N
References
BDU:2026-07737
HIGH7.5

Уязвимость функции URLField.to_python() программной платформы для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-06-02
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
CVE-2025-13372
MEDIUM4.3

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Published: 2025-12-02Modified: 2025-12-12
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
References
CVE-2025-13473
MEDIUM5.3

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
References
CVE-2025-14550
HIGH7.5

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-57833
HIGH8.1

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

Published: 2025-09-03Modified: 2025-11-04
CVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2025-59681
CRITICAL9.8

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Published: 2025-10-01Modified: 2025-11-04
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2025-59682
MEDIUM6.5

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Published: 2025-10-01Modified: 2025-11-04
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
CVE-2025-64458
HIGH7.5

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2025-11-05Modified: 2025-11-10
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-64459
CRITICAL9.1

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Published: 2025-11-05Modified: 2025-11-10
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
CVE-2025-64460
HIGH7.5

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2025-12-02Modified: 2025-12-10
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-1207
MEDIUM5.4

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2026-1285
HIGH7.5

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-1287
MEDIUM5.4

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2026-1312
MEDIUM5.4

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Published: 2026-02-03Modified: 2026-02-04
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2026-25673
HIGH7.5

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2026-03-03Modified: 2026-03-05
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-25674
LOW3.7

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Published: 2026-03-03Modified: 2026-03-05
CVSS 3.xLOW 3.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2026-33033
MEDIUM6.5

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-33034
HIGH7.5

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2026-35192
LOW2.3

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Published: 2026-05-05Modified: 2026-05-07
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS 4.0LOW 2.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2026-3902
HIGH7.5

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
CVE-2026-4277
CRITICAL9.8

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2026-4292
LOW2.7

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Published: 2026-04-07Modified: 2026-04-13
CVSS 3.xLOW 2.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
References
CVE-2026-5766
MEDIUM6.3

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.

Published: 2026-05-05Modified: 2026-05-07
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 4.0MEDIUM 6.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2026-6907
LOW2.3

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.

Published: 2026-05-05Modified: 2026-05-07
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 4.0LOW 2.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
GHSA-33mw-q7rj-mjwj
LOW2.7

Django has Inefficient Algorithmic Complexity

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0LOW 2.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
References
GHSA-4rrr-2h4v-f3j9
LOW2.7

Django has Inefficient Algorithmic Complexity

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0LOW 2.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
References
GHSA-5hrc-gvxj-w55p
LOW2.3

Django Uses Cache Containing Sensitive Information

Published: 2026-05-05Modified: 2026-05-08
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS 4.0LOW 2.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References
GHSA-5mf9-h53q-7mhq
MEDIUM6.5

Django has potential DoS via MultiPartParser through crafted multipart uploads

Published: 2026-04-07Modified: 2026-04-08
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
GHSA-6426-9fv3-65x8
MEDIUM5.4

Django has an SQL Injection issue

Published: 2026-02-03Modified: 2026-02-13
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
GHSA-6w2r-r2m5-xq5w
HIGH7.1

Django is subject to SQL injection through its column aliases

Published: 2025-09-08Modified: 2025-11-05
CVSS 3.xHIGH 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
References
GHSA-7h2m-m8vj-598h
LOW2.3

Django Uses Persistent Cookies Containing Sensitive Information

Published: 2026-05-05Modified: 2026-05-08
CVSS 4.0LOW 2.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References
GHSA-933h-hp56-hf7m
HIGH7.5

Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit

Published: 2026-04-07Modified: 2026-04-08
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-frmv-pr5f-9mcr
CRITICAL9.1

Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.

Published: 2025-11-05Modified: 2025-11-27
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
GHSA-gvg8-93h5-g6qq
HIGH8.1

Django has an SQL Injection issue

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0HIGH 8.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
References
GHSA-hpr9-3m2g-3j9p
HIGH7.1

Django vulnerable to SQL injection in column aliases

Published: 2025-10-01Modified: 2025-11-05
CVSS 3.xHIGH 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
References
GHSA-mwm9-4648-f68q
HIGH8.1

Django has an SQL Injection issue

Published: 2026-02-03Modified: 2026-02-03
CVSS 4.0HIGH 8.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
References
GHSA-q95w-c7qg-hrff
LOW3.1

Django vulnerable to partial directory traversal via archives

Published: 2025-10-01Modified: 2025-11-05
CVSS 3.xLOW 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
References
GHSA-qw25-v68c-qjf3
HIGH7.5

Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows

Published: 2025-11-05Modified: 2025-11-05
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-rqw2-ghq9-44m7
MEDIUM4.3

Django is vulnerable to SQL injection in column aliases

Published: 2025-12-02Modified: 2025-12-03
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
References
GHSA-vrcr-9hj9-jcg6
MEDIUM6.3

Django is vulnerable to DoS via XML serializer text extraction

Published: 2025-12-02Modified: 2025-12-03
CVSS 4.0MEDIUM 6.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
References
GHSA-w26r-rmm8-9c29
MEDIUM6.3

Django has an Improper Handling of Length Parameter Inconsistency

Published: 2026-05-05Modified: 2026-05-08
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 4.0MEDIUM 6.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
References