Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:apk/alpine/py3-django@5.2.13-r0?arch=armv7&distroversion=edge&reponame=community

Type apk

Namespace alpine

Name py3-django

Version 5.2.13-r0

Qualifiers

arch	armv7
distroversion	edge
reponame	community

Subpath

Is_vulnerable false

Next_non_vulnerable_version 5.2.14-r0

Latest_non_vulnerable_version 5.2.14-r0

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-32d1-b8f2-hud5

vulnerability_id VCID-32d1-b8f2-hud5

summary

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
`HttpRequest.body`, allowing remote attackers to load an unbounded request body into
memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33034.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33034.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33034

reference_id

reference_type

scores

value	0.00035
scoring_system	epss
scoring_elements	0.10784
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33034

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://docs.djangoproject.com/en/dev/releases/security/

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:43:43Z/

url

https://docs.djangoproject.com/en/dev/releases/security/

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:43:43Z/

url

https://groups.google.com/g/django-announce

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33034

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33034

reference_url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases

reference_url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:43:43Z/

url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927
reference_id	1132927
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2455927
reference_id	2455927
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2455927

reference_url	https://usn.ubuntu.com/8154-1/
reference_id	USN-8154-1
reference_type
scores
url	https://usn.ubuntu.com/8154-1/

fixed_packages

url	pkg:apk/alpine/py3-django@5.2.13-r0?arch=armv7&distroversion=edge&reponame=community
purl	pkg:apk/alpine/py3-django@5.2.13-r0?arch=armv7&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/py3-django@5.2.13-r0%3Farch=armv7&distroversion=edge&reponame=community

aliases BIT-django-2026-33034, CVE-2026-33034, GHSA-933h-hp56-hf7m, PYSEC-2026-49

risk_score 3.0

exploitability 0.5

weighted_severity 6.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-32d1-b8f2-hud5

url VCID-cg44-thdw-cygg

vulnerability_id VCID-cg44-thdw-cygg

summary

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new
instances to be created via forged `POST` data.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4292.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4292.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-4292

reference_id

reference_type

scores

value	0.00014
scoring_system	epss
scoring_elements	0.02704
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-4292

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://docs.djangoproject.com/en/dev/releases/security/

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:12:50Z/

url

https://docs.djangoproject.com/en/dev/releases/security/

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:12:50Z/

url

https://groups.google.com/g/django-announce

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-4292

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-4292

reference_url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases

reference_url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:12:50Z/

url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927
reference_id	1132927
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2455941
reference_id	2455941
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2455941

reference_url	https://usn.ubuntu.com/8154-1/
reference_id	USN-8154-1
reference_type
scores
url	https://usn.ubuntu.com/8154-1/

reference_url	https://usn.ubuntu.com/8154-2/
reference_id	USN-8154-2
reference_type
scores
url	https://usn.ubuntu.com/8154-2/

fixed_packages

url	pkg:apk/alpine/py3-django@5.2.13-r0?arch=armv7&distroversion=edge&reponame=community
purl	pkg:apk/alpine/py3-django@5.2.13-r0?arch=armv7&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/py3-django@5.2.13-r0%3Farch=armv7&distroversion=edge&reponame=community

aliases BIT-django-2026-4292, CVE-2026-4292, GHSA-mmwr-2jhp-mc7j, PYSEC-2026-53

risk_score 2.4

exploitability 0.5

weighted_severity 4.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cg44-thdw-cygg

url VCID-heum-8mwz-sbcw

vulnerability_id VCID-heum-8mwz-sbcw

summary

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Add permissions on inline model instances were not validated on submission of
forged `POST` data in `GenericInlineModelAdmin`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4277.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4277.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-4277

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.0645
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-4277

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://docs.djangoproject.com/en/dev/releases/security/

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://docs.djangoproject.com/en/dev/releases/security/

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/django-announce

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-4277

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-4277

reference_url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases

reference_url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927
reference_id	1132927
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2455939
reference_id	2455939
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2455939

reference_url	https://usn.ubuntu.com/8154-1/
reference_id	USN-8154-1
reference_type
scores
url	https://usn.ubuntu.com/8154-1/

reference_url	https://usn.ubuntu.com/8154-2/
reference_id	USN-8154-2
reference_type
scores
url	https://usn.ubuntu.com/8154-2/

fixed_packages

url	pkg:apk/alpine/py3-django@5.2.13-r0?arch=armv7&distroversion=edge&reponame=community
purl	pkg:apk/alpine/py3-django@5.2.13-r0?arch=armv7&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/py3-django@5.2.13-r0%3Farch=armv7&distroversion=edge&reponame=community

aliases BIT-django-2026-4277, CVE-2026-4277, GHSA-pwjp-ccjc-ghwg, PYSEC-2026-52

risk_score 3.9

exploitability 0.5

weighted_severity 7.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-heum-8mwz-sbcw

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/py3-django@5.2.13-r0%3Farch=armv7&distroversion=edge&reponame=community

Package Instance