| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-2ft7-rbey-kuhx |
| vulnerability_id |
VCID-2ft7-rbey-kuhx |
| summary |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.) |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 6 |
|
| 7 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-06T16:19:13Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.17 |
| purl |
pkg:pypi/django@4.2.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 5 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 6 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 7 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 8 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 9 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 10 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 11 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 12 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 13 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 14 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 15 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 16 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 17 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 18 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 19 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 20 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 21 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 22 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 23 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.17 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.1.4 |
| purl |
pkg:pypi/django@5.1.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 3 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 4 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 5 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 6 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 7 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 8 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 9 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 10 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 11 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.4 |
|
|
| aliases |
BIT-django-2024-53908, CVE-2024-53908, GHSA-m9g8-fxxm-xg86, PYSEC-2024-157
|
| risk_score |
4.4 |
| exploitability |
0.5 |
| weighted_severity |
8.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2ft7-rbey-kuhx |
|
| 1 |
| url |
VCID-4kcg-gx5y-cuaw |
| vulnerability_id |
VCID-4kcg-gx5y-cuaw |
| summary |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:21:06Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@6.0.2 |
| purl |
pkg:pypi/django@6.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 1 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 2 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 3 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 4 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 5 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 6 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 7 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 8 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 9 |
| vulnerability |
VCID-w777-44ns-cybg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2 |
|
|
| aliases |
BIT-django-2026-1207, CVE-2026-1207, GHSA-mwm9-4648-f68q, PYSEC-2026-44
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4kcg-gx5y-cuaw |
|
| 2 |
| url |
VCID-4tyd-97z5-z3ar |
| vulnerability_id |
VCID-4tyd-97z5-z3ar |
| summary |
Django allows enumeration of user e-mail addresses
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
| reference_url |
https://groups.google.com/forum/#%21forum/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:35:34Z/ |
|
|
| url |
https://groups.google.com/forum/#%21forum/django-announce |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.16 |
| purl |
pkg:pypi/django@4.2.16 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 3 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 4 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 5 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 6 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 7 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 8 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 9 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 10 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 11 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 12 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 13 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 14 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 15 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 16 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 17 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 18 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 19 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 20 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 21 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 22 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 23 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 24 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 25 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.16 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.1.1 |
| purl |
pkg:pypi/django@5.1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 4 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 5 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 6 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 7 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 8 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 9 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 10 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 11 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 12 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 13 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.1 |
|
|
| aliases |
CVE-2024-45231, GHSA-rrqc-c2jx-6jgv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4tyd-97z5-z3ar |
|
| 3 |
| url |
VCID-5xtt-au84-zbb2 |
| vulnerability_id |
VCID-5xtt-au84-zbb2 |
| summary |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-01T19:12:04Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.25 |
| purl |
pkg:pypi/django@4.2.25 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 3 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 4 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 5 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 6 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 7 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 8 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 9 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 10 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 11 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 12 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 13 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 14 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 15 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 16 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.25 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@5.2a1 |
| purl |
pkg:pypi/django@5.2a1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 3 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 4 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 5 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 6 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 7 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 8 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 9 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 10 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2a1 |
|
| 4 |
| url |
pkg:pypi/django@5.2.7 |
| purl |
pkg:pypi/django@5.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 3 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 4 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 5 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 6 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 7 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 8 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 9 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 10 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 11 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 12 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 13 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 14 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 15 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 16 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 17 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 18 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 19 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.7 |
|
| 5 |
|
|
| aliases |
BIT-django-2025-59681, CVE-2025-59681, GHSA-hpr9-3m2g-3j9p, PYSEC-2025-106
|
| risk_score |
4.4 |
| exploitability |
0.5 |
| weighted_severity |
8.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5xtt-au84-zbb2 |
|
| 4 |
| url |
VCID-7c5n-nzwk-v7bz |
| vulnerability_id |
VCID-7c5n-nzwk-v7bz |
| summary |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.27 |
| purl |
pkg:pypi/django@4.2.27 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 2 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 3 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 4 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 5 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 6 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 7 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 8 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 9 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 10 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 11 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 12 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.27 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@5.2.9 |
| purl |
pkg:pypi/django@5.2.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 2 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 3 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 4 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 5 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 6 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 7 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 8 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 9 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 10 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 11 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 12 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 13 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 14 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 15 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9 |
|
| 4 |
|
|
| aliases |
BIT-django-2025-13372, CVE-2025-13372, GHSA-rqw2-ghq9-44m7, PYSEC-2025-104
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7c5n-nzwk-v7bz |
|
| 5 |
| url |
VCID-7upw-5p86-8bfr |
| vulnerability_id |
VCID-7upw-5p86-8bfr |
| summary |
Django vulnerable to Uncontrolled Resource Consumption
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-25673, GHSA-8p8v-wh79-9r56
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7upw-5p86-8bfr |
|
| 6 |
| url |
VCID-9gq3-whr8-s7b8 |
| vulnerability_id |
VCID-9gq3-whr8-s7b8 |
| summary |
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.14 |
| purl |
pkg:pypi/django@4.2.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 7 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 8 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 9 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 10 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 11 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 12 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 13 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 14 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 15 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 16 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 17 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 18 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 19 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 20 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 21 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 22 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 23 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 24 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 25 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 26 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 27 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 28 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 29 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 30 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 31 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.14 |
|
| 1 |
| url |
pkg:pypi/django@5.0.7 |
| purl |
pkg:pypi/django@5.0.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 3 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 4 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 5 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 6 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 7 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 8 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 9 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 10 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 11 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 12 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 13 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 14 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.7 |
|
|
| aliases |
BIT-django-2024-38875, CVE-2024-38875, GHSA-qg2p-9jwr-mmqf, PYSEC-2024-56
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9gq3-whr8-s7b8 |
|
| 7 |
| url |
VCID-9kvc-1bdz-n3bd |
| vulnerability_id |
VCID-9kvc-1bdz-n3bd |
| summary |
denial of service |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.21 |
| purl |
pkg:pypi/django@4.2.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 5 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 6 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 7 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 8 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 9 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 10 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 11 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 12 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 13 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 14 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 15 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 16 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 17 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 18 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 19 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 20 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.21 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.2.1 |
| purl |
pkg:pypi/django@5.2.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 5 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 6 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 7 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 8 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 9 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 10 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 11 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 12 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 13 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 14 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 15 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 16 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 17 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 18 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 19 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 20 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 21 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 22 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 23 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.1 |
|
|
| aliases |
BIT-django-2025-32873, CVE-2025-32873, GHSA-8j24-cjrq-gr2m, PYSEC-2025-37
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9kvc-1bdz-n3bd |
|
| 8 |
| url |
VCID-am3f-c5ex-8ff2 |
| vulnerability_id |
VCID-am3f-c5ex-8ff2 |
| summary |
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.7 |
| purl |
pkg:pypi/django@4.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9gq3-whr8-s7b8 |
|
| 7 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 8 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 9 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 10 |
| vulnerability |
VCID-e8j6-mybr-17fh |
|
| 11 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 12 |
| vulnerability |
VCID-fsaw-3ta1-x3dw |
|
| 13 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 14 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 15 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 16 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 17 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 18 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 19 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 20 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 21 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 22 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 23 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 24 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 25 |
| vulnerability |
VCID-s1rj-1xbw-fbg5 |
|
| 26 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 27 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 28 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 29 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 30 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 31 |
| vulnerability |
VCID-vgq9-s6th-yufg |
|
| 32 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 33 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 34 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 35 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 36 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
| 37 |
| vulnerability |
VCID-yuda-1mur-8bbq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.7 |
|
|
| aliases |
BIT-django-2023-46695, CVE-2023-46695, GHSA-qmf9-6jqf-j8fq, PYSEC-2023-222
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-am3f-c5ex-8ff2 |
|
| 9 |
| url |
VCID-bb8b-hq41-s7a6 |
| vulnerability_id |
VCID-bb8b-hq41-s7a6 |
| summary |
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
|
| 1 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:12Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.22 |
| purl |
pkg:pypi/django@4.2.22 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 5 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 6 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 7 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 8 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 9 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 10 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 11 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 12 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 13 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 14 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 15 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 16 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 17 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 18 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 19 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.22 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.2.2 |
| purl |
pkg:pypi/django@5.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 5 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 6 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 7 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 8 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 9 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 10 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 11 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 12 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 13 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 14 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 15 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 16 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 17 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 18 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 19 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 20 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 21 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 22 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.2 |
|
|
| aliases |
BIT-django-2025-48432, CVE-2025-48432, GHSA-7xr5-9hcq-chf9, PYSEC-2025-47
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bb8b-hq41-s7a6 |
|
| 10 |
| url |
VCID-e12b-tw2c-53c9 |
| vulnerability_id |
VCID-e12b-tw2c-53c9 |
| summary |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
| reference_url |
https://groups.google.com/forum/#%21forum/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T17:57:11Z/ |
|
|
| url |
https://groups.google.com/forum/#%21forum/django-announce |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.15 |
| purl |
pkg:pypi/django@4.2.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 7 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 8 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 9 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 10 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 11 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 12 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 13 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 14 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 15 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 16 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 17 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 18 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 19 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 20 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 21 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 22 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 23 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 24 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 25 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 26 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 27 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.15 |
|
| 1 |
| url |
pkg:pypi/django@5.0.8 |
| purl |
pkg:pypi/django@5.0.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 3 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 4 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 5 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 6 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 7 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 8 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 9 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 10 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.8 |
|
|
| aliases |
BIT-django-2024-41991, CVE-2024-41991, GHSA-r836-hh6v-rg5g, PYSEC-2024-69
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e12b-tw2c-53c9 |
|
| 11 |
| url |
VCID-e8j6-mybr-17fh |
| vulnerability_id |
VCID-e8j6-mybr-17fh |
| summary |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
| reference_url |
https://groups.google.com/forum/#%21forum/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-10T13:59:56Z/ |
|
|
| url |
https://groups.google.com/forum/#%21forum/django-announce |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.14 |
| purl |
pkg:pypi/django@4.2.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 7 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 8 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 9 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 10 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 11 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 12 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 13 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 14 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 15 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 16 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 17 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 18 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 19 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 20 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 21 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 22 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 23 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 24 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 25 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 26 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 27 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 28 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 29 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 30 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 31 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.14 |
|
| 1 |
| url |
pkg:pypi/django@5.0.7 |
| purl |
pkg:pypi/django@5.0.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 3 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 4 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 5 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 6 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 7 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 8 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 9 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 10 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 11 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 12 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 13 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 14 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.7 |
|
|
| aliases |
BIT-django-2024-39330, CVE-2024-39330, GHSA-9jmf-237g-qf46, PYSEC-2024-58
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e8j6-mybr-17fh |
|
| 12 |
| url |
VCID-fcg9-xypn-ykhf |
| vulnerability_id |
VCID-fcg9-xypn-ykhf |
| summary |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T21:53:53Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.27 |
| purl |
pkg:pypi/django@4.2.27 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 2 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 3 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 4 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 5 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 6 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 7 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 8 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 9 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 10 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 11 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 12 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.27 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@5.2.9 |
| purl |
pkg:pypi/django@5.2.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 2 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 3 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 4 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 5 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 6 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 7 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 8 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 9 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 10 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 11 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 12 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 13 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 14 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 15 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9 |
|
| 4 |
|
|
| aliases |
BIT-django-2025-64460, CVE-2025-64460, GHSA-vrcr-9hj9-jcg6, PYSEC-2025-109
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fcg9-xypn-ykhf |
|
| 13 |
| url |
VCID-fsaw-3ta1-x3dw |
| vulnerability_id |
VCID-fsaw-3ta1-x3dw |
| summary |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
| 55 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.11 |
| purl |
pkg:pypi/django@4.2.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9gq3-whr8-s7b8 |
|
| 7 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 8 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 9 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 10 |
| vulnerability |
VCID-e8j6-mybr-17fh |
|
| 11 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 12 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 13 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 14 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 15 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 16 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 17 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 18 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 19 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 20 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 21 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 22 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 23 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 24 |
| vulnerability |
VCID-s1rj-1xbw-fbg5 |
|
| 25 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 26 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 27 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 28 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 29 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 30 |
| vulnerability |
VCID-vgq9-s6th-yufg |
|
| 31 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 32 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 33 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 34 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 35 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.11 |
|
| 1 |
| url |
pkg:pypi/django@5.0.3 |
| purl |
pkg:pypi/django@5.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-9gq3-whr8-s7b8 |
|
| 3 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 4 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 5 |
| vulnerability |
VCID-e8j6-mybr-17fh |
|
| 6 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 7 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 8 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 9 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 10 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 11 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 12 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 13 |
| vulnerability |
VCID-s1rj-1xbw-fbg5 |
|
| 14 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 15 |
| vulnerability |
VCID-vgq9-s6th-yufg |
|
| 16 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 17 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 18 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.3 |
|
|
| aliases |
BIT-django-2024-27351, CVE-2024-27351, GHSA-vm8q-m57g-pff3, PYSEC-2024-47
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fsaw-3ta1-x3dw |
|
| 14 |
| url |
VCID-ga69-9y5g-77c3 |
| vulnerability_id |
VCID-ga69-9y5g-77c3 |
| summary |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.26 |
| purl |
pkg:pypi/django@4.2.26 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 3 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 4 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 5 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 6 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 7 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 8 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 9 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 10 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 11 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 12 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 13 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 14 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.26 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.2.8 |
| purl |
pkg:pypi/django@5.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 3 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 4 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 5 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 6 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 7 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 8 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 9 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 10 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 11 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 12 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 13 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 14 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 15 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 16 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 17 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8 |
|
| 3 |
|
|
| aliases |
BIT-django-2025-64458, CVE-2025-64458, GHSA-qw25-v68c-qjf3, PYSEC-2025-107
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ga69-9y5g-77c3 |
|
| 15 |
| url |
VCID-ga7z-wj4j-63h1 |
| vulnerability_id |
VCID-ga7z-wj4j-63h1 |
| summary |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
`HttpRequest.body`, allowing remote attackers to load an unbounded request body into
memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
BIT-django-2026-33034, CVE-2026-33034, GHSA-933h-hp56-hf7m, PYSEC-2026-49
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ga7z-wj4j-63h1 |
|
| 16 |
| url |
VCID-hsjn-xnpp-5yeh |
| vulnerability_id |
VCID-hsjn-xnpp-5yeh |
| summary |
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://groups.google.com/forum/#%21forum/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:30:05Z/ |
|
|
| url |
https://groups.google.com/forum/#%21forum/django-announce |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.16 |
| purl |
pkg:pypi/django@4.2.16 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 3 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 4 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 5 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 6 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 7 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 8 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 9 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 10 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 11 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 12 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 13 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 14 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 15 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 16 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 17 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 18 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 19 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 20 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 21 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 22 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 23 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 24 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 25 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.16 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.1.1 |
| purl |
pkg:pypi/django@5.1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 4 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 5 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 6 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 7 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 8 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 9 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 10 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 11 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 12 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 13 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.1 |
|
|
| aliases |
BIT-django-2024-45230, CVE-2024-45230, GHSA-5hgc-2vfp-mqvc, PYSEC-2024-102
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hsjn-xnpp-5yeh |
|
| 17 |
| url |
VCID-jgv9-vdbm-sycd |
| vulnerability_id |
VCID-jgv9-vdbm-sycd |
| summary |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
| reference_url |
https://groups.google.com/forum/#%21forum/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T19:34:43Z/ |
|
|
| url |
https://groups.google.com/forum/#%21forum/django-announce |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.15 |
| purl |
pkg:pypi/django@4.2.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 7 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 8 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 9 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 10 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 11 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 12 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 13 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 14 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 15 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 16 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 17 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 18 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 19 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 20 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 21 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 22 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 23 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 24 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 25 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 26 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 27 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.15 |
|
| 1 |
| url |
pkg:pypi/django@5.0.8 |
| purl |
pkg:pypi/django@5.0.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 3 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 4 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 5 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 6 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 7 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 8 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 9 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 10 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.8 |
|
|
| aliases |
BIT-django-2024-41989, CVE-2024-41989, GHSA-jh75-99hh-qvx9, PYSEC-2024-67
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jgv9-vdbm-sycd |
|
| 18 |
| url |
VCID-jybd-p65h-xffy |
| vulnerability_id |
VCID-jybd-p65h-xffy |
| summary |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
2.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:19:11Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@6.0.2 |
| purl |
pkg:pypi/django@6.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 1 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 2 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 3 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 4 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 5 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 6 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 7 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 8 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 9 |
| vulnerability |
VCID-w777-44ns-cybg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2 |
|
|
| aliases |
BIT-django-2025-13473, CVE-2025-13473, GHSA-2mcm-79hx-8fxw, PYSEC-2026-42
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jybd-p65h-xffy |
|
| 19 |
| url |
VCID-kxdd-yzp3-r7cb |
| vulnerability_id |
VCID-kxdd-yzp3-r7cb |
| summary |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Add permissions on inline model instances were not validated on submission of
forged `POST` data in `GenericInlineModelAdmin`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
BIT-django-2026-4277, CVE-2026-4277, GHSA-pwjp-ccjc-ghwg, PYSEC-2026-52
|
| risk_score |
3.9 |
| exploitability |
0.5 |
| weighted_severity |
7.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kxdd-yzp3-r7cb |
|
| 20 |
| url |
VCID-m33h-4p9q-63fb |
| vulnerability_id |
VCID-m33h-4p9q-63fb |
| summary |
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.6 |
| purl |
pkg:pypi/django@4.2.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9gq3-whr8-s7b8 |
|
| 7 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 8 |
| vulnerability |
VCID-am3f-c5ex-8ff2 |
|
| 9 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 10 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 11 |
| vulnerability |
VCID-e8j6-mybr-17fh |
|
| 12 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 13 |
| vulnerability |
VCID-fsaw-3ta1-x3dw |
|
| 14 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 15 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 16 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 17 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 18 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 19 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 20 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 21 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 22 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 23 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 24 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 25 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 26 |
| vulnerability |
VCID-s1rj-1xbw-fbg5 |
|
| 27 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 28 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 29 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 30 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 31 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 32 |
| vulnerability |
VCID-vgq9-s6th-yufg |
|
| 33 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 34 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 35 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 36 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 37 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
| 38 |
| vulnerability |
VCID-yuda-1mur-8bbq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.6 |
|
|
| aliases |
BIT-django-2023-43665, CVE-2023-43665, GHSA-h8gc-pgj2-vjm3, PYSEC-2023-226
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m33h-4p9q-63fb |
|
| 21 |
| url |
VCID-n2v7-jqjy-37bc |
| vulnerability_id |
VCID-n2v7-jqjy-37bc |
| summary |
Django vulnerable to partial directory traversal via archives
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.25 |
| purl |
pkg:pypi/django@4.2.25 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 3 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 4 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 5 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 6 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 7 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 8 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 9 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 10 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 11 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 12 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 13 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 14 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 15 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 16 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.25 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@5.2a1 |
| purl |
pkg:pypi/django@5.2a1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 3 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 4 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 5 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 6 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 7 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 8 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 9 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 10 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2a1 |
|
| 4 |
| url |
pkg:pypi/django@5.2.7 |
| purl |
pkg:pypi/django@5.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 3 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 4 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 5 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 6 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 7 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 8 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 9 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 10 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 11 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 12 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 13 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 14 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 15 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 16 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 17 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 18 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 19 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.7 |
|
| 5 |
|
|
| aliases |
CVE-2025-59682, GHSA-q95w-c7qg-hrff
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n2v7-jqjy-37bc |
|
| 22 |
| url |
VCID-pa7y-gpwp-6qgj |
| vulnerability_id |
VCID-pa7y-gpwp-6qgj |
| summary |
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.) |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.18 |
| purl |
pkg:pypi/django@4.2.18 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 5 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 6 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 7 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 8 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 9 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 10 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 11 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 12 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 13 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 14 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 15 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 16 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 17 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 18 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 19 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 20 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 21 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 22 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.18 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.1.5 |
| purl |
pkg:pypi/django@5.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 3 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 4 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 5 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 6 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 7 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 8 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 9 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 10 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.5 |
|
|
| aliases |
BIT-django-2024-56374, CVE-2024-56374, GHSA-qcgg-j2x8-h9g8, PYSEC-2025-1
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pa7y-gpwp-6qgj |
|
| 23 |
| url |
VCID-phkp-9abp-f3dq |
| vulnerability_id |
VCID-phkp-9abp-f3dq |
| summary |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
BIT-django-2026-3902, CVE-2026-3902, GHSA-mvfq-ggxm-9mc5, PYSEC-2026-51
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-phkp-9abp-f3dq |
|
| 24 |
| url |
VCID-qgp1-4efd-6yg6 |
| vulnerability_id |
VCID-qgp1-4efd-6yg6 |
| summary |
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.5 |
| purl |
pkg:pypi/django@4.2.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9gq3-whr8-s7b8 |
|
| 7 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 8 |
| vulnerability |
VCID-am3f-c5ex-8ff2 |
|
| 9 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 10 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 11 |
| vulnerability |
VCID-e8j6-mybr-17fh |
|
| 12 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 13 |
| vulnerability |
VCID-fsaw-3ta1-x3dw |
|
| 14 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 15 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 16 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 17 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 18 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 19 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 20 |
| vulnerability |
VCID-m33h-4p9q-63fb |
|
| 21 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 22 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 23 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 24 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 25 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 26 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 27 |
| vulnerability |
VCID-s1rj-1xbw-fbg5 |
|
| 28 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 29 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 30 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 31 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 32 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 33 |
| vulnerability |
VCID-vgq9-s6th-yufg |
|
| 34 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 35 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 36 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 37 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 38 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
| 39 |
| vulnerability |
VCID-yuda-1mur-8bbq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.5 |
|
|
| aliases |
BIT-django-2023-41164, CVE-2023-41164, GHSA-7h4p-27mh-hmrw, PYSEC-2023-225
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qgp1-4efd-6yg6 |
|
| 25 |
| url |
VCID-qy1a-x3ff-4bc8 |
| vulnerability_id |
VCID-qy1a-x3ff-4bc8 |
| summary |
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T20:30:28Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.20 |
| purl |
pkg:pypi/django@4.2.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 5 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 6 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 7 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 8 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 9 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 10 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 11 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 12 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 13 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 14 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 15 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 16 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 17 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 18 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 19 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 20 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 21 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.20 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| url |
pkg:pypi/django@5.1.7 |
| purl |
pkg:pypi/django@5.1.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 3 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 4 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 5 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 6 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 7 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 8 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 9 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.7 |
|
| 5 |
| url |
pkg:pypi/django@5.2a1 |
| purl |
pkg:pypi/django@5.2a1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 3 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 4 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 5 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 6 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 7 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 8 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 9 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 10 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2a1 |
|
|
| aliases |
BIT-django-2025-26699, CVE-2025-26699, GHSA-p3fp-8748-vqfq, PYSEC-2025-13
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qy1a-x3ff-4bc8 |
|
| 26 |
| url |
VCID-r1vx-vv7d-gqaj |
| vulnerability_id |
VCID-r1vx-vv7d-gqaj |
| summary |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Jiyong Yang for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
2.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:27:25Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@6.0.2 |
| purl |
pkg:pypi/django@6.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 1 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 2 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 3 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 4 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 5 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 6 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 7 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 8 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 9 |
| vulnerability |
VCID-w777-44ns-cybg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2 |
|
|
| aliases |
BIT-django-2025-14550, CVE-2025-14550, GHSA-33mw-q7rj-mjwj, PYSEC-2026-43
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r1vx-vv7d-gqaj |
|
| 27 |
| url |
VCID-rqqc-ta7c-ykgx |
| vulnerability_id |
VCID-rqqc-ta7c-ykgx |
| summary |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
| reference_url |
https://groups.google.com/forum/#%21forum/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-07T15:20:51Z/ |
|
|
| url |
https://groups.google.com/forum/#%21forum/django-announce |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.15 |
| purl |
pkg:pypi/django@4.2.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 7 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 8 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 9 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 10 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 11 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 12 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 13 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 14 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 15 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 16 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 17 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 18 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 19 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 20 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 21 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 22 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 23 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 24 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 25 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 26 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 27 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.15 |
|
| 1 |
| url |
pkg:pypi/django@5.0.8 |
| purl |
pkg:pypi/django@5.0.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 3 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 4 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 5 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 6 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 7 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 8 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 9 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 10 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.8 |
|
|
| aliases |
BIT-django-2024-41990, CVE-2024-41990, GHSA-795c-9xpc-xw6g, PYSEC-2024-68
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rqqc-ta7c-ykgx |
|
| 28 |
| url |
VCID-s1rj-1xbw-fbg5 |
| vulnerability_id |
VCID-s1rj-1xbw-fbg5 |
| summary |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.14 |
| purl |
pkg:pypi/django@4.2.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 7 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 8 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 9 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 10 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 11 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 12 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 13 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 14 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 15 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 16 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 17 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 18 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 19 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 20 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 21 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 22 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 23 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 24 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 25 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 26 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 27 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 28 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 29 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 30 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 31 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.14 |
|
| 1 |
| url |
pkg:pypi/django@5.0.7 |
| purl |
pkg:pypi/django@5.0.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 3 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 4 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 5 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 6 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 7 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 8 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 9 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 10 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 11 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 12 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 13 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 14 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.7 |
|
|
| aliases |
BIT-django-2024-39614, CVE-2024-39614, GHSA-f6f8-9mx6-9mx2, PYSEC-2024-59
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s1rj-1xbw-fbg5 |
|
| 29 |
| url |
VCID-shch-yusm-1uck |
| vulnerability_id |
VCID-shch-yusm-1uck |
| summary |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
2.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:22:30Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@6.0.2 |
| purl |
pkg:pypi/django@6.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 1 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 2 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 3 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 4 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 5 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 6 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 7 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 8 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 9 |
| vulnerability |
VCID-w777-44ns-cybg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2 |
|
|
| aliases |
BIT-django-2026-1285, CVE-2026-1285, GHSA-4rrr-2h4v-f3j9, PYSEC-2026-45
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-shch-yusm-1uck |
|
| 30 |
| url |
VCID-shjc-2j68-2yfy |
| vulnerability_id |
VCID-shjc-2j68-2yfy |
| summary |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@6.0.2 |
| purl |
pkg:pypi/django@6.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 1 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 2 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 3 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 4 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 5 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 6 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 7 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 8 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 9 |
| vulnerability |
VCID-w777-44ns-cybg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2 |
|
|
| aliases |
BIT-django-2026-1312, CVE-2026-1312, GHSA-6426-9fv3-65x8, PYSEC-2026-47
|
| risk_score |
3.9 |
| exploitability |
0.5 |
| weighted_severity |
7.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-shjc-2j68-2yfy |
|
| 31 |
| url |
VCID-tktt-vg92-6kae |
| vulnerability_id |
VCID-tktt-vg92-6kae |
| summary |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new
instances to be created via forged `POST` data.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
BIT-django-2026-4292, CVE-2026-4292, GHSA-mmwr-2jhp-mc7j, PYSEC-2026-53
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tktt-vg92-6kae |
|
| 32 |
| url |
VCID-tuqc-c251-h7ds |
| vulnerability_id |
VCID-tuqc-c251-h7ds |
| summary |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
BIT-django-2026-33033, CVE-2026-33033, GHSA-5mf9-h53q-7mhq, PYSEC-2026-48
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tuqc-c251-h7ds |
|
| 33 |
| url |
VCID-ud73-4t2c-n3at |
| vulnerability_id |
VCID-ud73-4t2c-n3at |
| summary |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-06T16:22:53Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.17 |
| purl |
pkg:pypi/django@4.2.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 5 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 6 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 7 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 8 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 9 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 10 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 11 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 12 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 13 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 14 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 15 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 16 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 17 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 18 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 19 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 20 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 21 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 22 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 23 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.17 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.1.4 |
| purl |
pkg:pypi/django@5.1.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 3 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 4 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 5 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 6 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 7 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 8 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 9 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 10 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 11 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.4 |
|
|
| aliases |
BIT-django-2024-53907, CVE-2024-53907, GHSA-8498-2h75-472j, PYSEC-2024-156
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ud73-4t2c-n3at |
|
| 34 |
| url |
VCID-vgq9-s6th-yufg |
| vulnerability_id |
VCID-vgq9-s6th-yufg |
| summary |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.14 |
| purl |
pkg:pypi/django@4.2.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 7 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 8 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 9 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 10 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 11 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 12 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 13 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 14 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 15 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 16 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 17 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 18 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 19 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 20 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 21 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 22 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 23 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 24 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 25 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 26 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 27 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 28 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 29 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 30 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 31 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.14 |
|
| 1 |
| url |
pkg:pypi/django@5.0.7 |
| purl |
pkg:pypi/django@5.0.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 3 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 4 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 5 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 6 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 7 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 8 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 9 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 10 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 11 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 12 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 13 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 14 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.7 |
|
|
| aliases |
BIT-django-2024-39329, CVE-2024-39329, GHSA-x7q2-wr7g-xqmf, PYSEC-2024-57
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vgq9-s6th-yufg |
|
| 35 |
| url |
VCID-w777-44ns-cybg |
| vulnerability_id |
VCID-w777-44ns-cybg |
| summary |
Django has a Race Condition vulnerability
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-25674, GHSA-mjgh-79qc-68w3
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w777-44ns-cybg |
|
| 36 |
| url |
VCID-wa3g-27sx-mbcw |
| vulnerability_id |
VCID-wa3g-27sx-mbcw |
| summary |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:26:40Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:pypi/django@6.0.2 |
| purl |
pkg:pypi/django@6.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 1 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 2 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 3 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 4 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 5 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 6 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 7 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 8 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 9 |
| vulnerability |
VCID-w777-44ns-cybg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2 |
|
|
| aliases |
BIT-django-2026-1287, CVE-2026-1287, GHSA-gvg8-93h5-g6qq, PYSEC-2026-46
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wa3g-27sx-mbcw |
|
| 37 |
| url |
VCID-whgc-pt2s-77ar |
| vulnerability_id |
VCID-whgc-pt2s-77ar |
| summary |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.26 |
| purl |
pkg:pypi/django@4.2.26 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 3 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 4 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 5 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 6 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 7 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 8 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 9 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 10 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 11 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 12 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 13 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 14 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.26 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.2.8 |
| purl |
pkg:pypi/django@5.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 2 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 3 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 4 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 5 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 6 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 7 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 8 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 9 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 10 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 11 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 12 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 13 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 14 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 15 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 16 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 17 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8 |
|
| 3 |
|
|
| aliases |
BIT-django-2025-64459, CVE-2025-64459, GHSA-frmv-pr5f-9mcr, PYSEC-2025-108
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-whgc-pt2s-77ar |
|
| 38 |
| url |
VCID-xcmd-18ck-gqae |
| vulnerability_id |
VCID-xcmd-18ck-gqae |
| summary |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
| reference_url |
https://groups.google.com/forum/#%21forum/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-08-16T20:19:17Z/ |
|
|
| url |
https://groups.google.com/forum/#%21forum/django-announce |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.15 |
| purl |
pkg:pypi/django@4.2.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 7 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 8 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 9 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 10 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 11 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 12 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 13 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 14 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 15 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 16 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 17 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 18 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 19 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 20 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 21 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 22 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 23 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 24 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 25 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 26 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 27 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.15 |
|
| 1 |
| url |
pkg:pypi/django@5.0.8 |
| purl |
pkg:pypi/django@5.0.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 3 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 4 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 5 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 6 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 7 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 8 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 9 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 10 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.8 |
|
|
| aliases |
BIT-django-2024-42005, CVE-2024-42005, GHSA-pv4p-cwwg-4rph, PYSEC-2024-70
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xcmd-18ck-gqae |
|
| 39 |
| url |
VCID-ynt9-h6ww-h7e9 |
| vulnerability_id |
VCID-ynt9-h6ww-h7e9 |
| summary |
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.24 |
| purl |
pkg:pypi/django@4.2.24 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 5 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 6 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 7 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 8 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 9 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 10 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 11 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 12 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 13 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 14 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 15 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 16 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 17 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 18 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.24 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.2.6 |
| purl |
pkg:pypi/django@5.2.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 1 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 2 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 3 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 4 |
| vulnerability |
VCID-abpe-htm1-9ubp |
|
| 5 |
| vulnerability |
VCID-eqsc-axng-ckca |
|
| 6 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 7 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 8 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 9 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 10 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 11 |
| vulnerability |
VCID-m4am-h2ea-3ffr |
|
| 12 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 13 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 14 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 15 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 16 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 17 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 18 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 19 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 20 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 21 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.6 |
|
|
| aliases |
BIT-django-2025-57833, CVE-2025-57833, GHSA-6w2r-r2m5-xq5w, PYSEC-2025-105
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ynt9-h6ww-h7e9 |
|
| 40 |
| url |
VCID-yuda-1mur-8bbq |
| vulnerability_id |
VCID-yuda-1mur-8bbq |
| summary |
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
8.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
| reference_url |
https://groups.google.com/forum/#%21forum/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
8.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:36Z/ |
|
|
| url |
https://groups.google.com/forum/#%21forum/django-announce |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.10 |
| purl |
pkg:pypi/django@4.2.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4kcg-gx5y-cuaw |
|
| 2 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 3 |
| vulnerability |
VCID-5xtt-au84-zbb2 |
|
| 4 |
| vulnerability |
VCID-7c5n-nzwk-v7bz |
|
| 5 |
| vulnerability |
VCID-7upw-5p86-8bfr |
|
| 6 |
| vulnerability |
VCID-9gq3-whr8-s7b8 |
|
| 7 |
| vulnerability |
VCID-9kvc-1bdz-n3bd |
|
| 8 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 9 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 10 |
| vulnerability |
VCID-e8j6-mybr-17fh |
|
| 11 |
| vulnerability |
VCID-fcg9-xypn-ykhf |
|
| 12 |
| vulnerability |
VCID-fsaw-3ta1-x3dw |
|
| 13 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 14 |
| vulnerability |
VCID-ga7z-wj4j-63h1 |
|
| 15 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 16 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 17 |
| vulnerability |
VCID-jybd-p65h-xffy |
|
| 18 |
| vulnerability |
VCID-kxdd-yzp3-r7cb |
|
| 19 |
| vulnerability |
VCID-n2v7-jqjy-37bc |
|
| 20 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 21 |
| vulnerability |
VCID-phkp-9abp-f3dq |
|
| 22 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 23 |
| vulnerability |
VCID-r1vx-vv7d-gqaj |
|
| 24 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 25 |
| vulnerability |
VCID-s1rj-1xbw-fbg5 |
|
| 26 |
| vulnerability |
VCID-shch-yusm-1uck |
|
| 27 |
| vulnerability |
VCID-shjc-2j68-2yfy |
|
| 28 |
| vulnerability |
VCID-tktt-vg92-6kae |
|
| 29 |
| vulnerability |
VCID-tuqc-c251-h7ds |
|
| 30 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 31 |
| vulnerability |
VCID-vgq9-s6th-yufg |
|
| 32 |
| vulnerability |
VCID-w777-44ns-cybg |
|
| 33 |
| vulnerability |
VCID-wa3g-27sx-mbcw |
|
| 34 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 35 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 36 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.10 |
|
| 1 |
| url |
pkg:pypi/django@5.0.2 |
| purl |
pkg:pypi/django@5.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ft7-rbey-kuhx |
|
| 1 |
| vulnerability |
VCID-4tyd-97z5-z3ar |
|
| 2 |
| vulnerability |
VCID-9gq3-whr8-s7b8 |
|
| 3 |
| vulnerability |
VCID-bb8b-hq41-s7a6 |
|
| 4 |
| vulnerability |
VCID-e12b-tw2c-53c9 |
|
| 5 |
| vulnerability |
VCID-e8j6-mybr-17fh |
|
| 6 |
| vulnerability |
VCID-fsaw-3ta1-x3dw |
|
| 7 |
| vulnerability |
VCID-ga69-9y5g-77c3 |
|
| 8 |
| vulnerability |
VCID-hsjn-xnpp-5yeh |
|
| 9 |
| vulnerability |
VCID-jgv9-vdbm-sycd |
|
| 10 |
| vulnerability |
VCID-pa7y-gpwp-6qgj |
|
| 11 |
| vulnerability |
VCID-qw15-2kq7-wqed |
|
| 12 |
| vulnerability |
VCID-qy1a-x3ff-4bc8 |
|
| 13 |
| vulnerability |
VCID-rqqc-ta7c-ykgx |
|
| 14 |
| vulnerability |
VCID-s1rj-1xbw-fbg5 |
|
| 15 |
| vulnerability |
VCID-ud73-4t2c-n3at |
|
| 16 |
| vulnerability |
VCID-vgq9-s6th-yufg |
|
| 17 |
| vulnerability |
VCID-whgc-pt2s-77ar |
|
| 18 |
| vulnerability |
VCID-xcmd-18ck-gqae |
|
| 19 |
| vulnerability |
VCID-ynt9-h6ww-h7e9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.2 |
|
|
| aliases |
BIT-django-2024-24680, CVE-2024-24680, GHSA-xxj9-f6rv-m3x4, PYSEC-2024-28
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yuda-1mur-8bbq |
|
|
|---|