| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-3d6k-rdsh-k7hm |
| vulnerability_id |
VCID-3d6k-rdsh-k7hm |
| summary |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/django@5.2.9 |
| purl |
pkg:pypi/django@5.2.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3ccr-92q5-aqfk |
|
| 2 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 3 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 4 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 5 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 6 |
| vulnerability |
VCID-92z2-3rbz-77h9 |
|
| 7 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 8 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 9 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 10 |
| vulnerability |
VCID-g22z-jue5-8udz |
|
| 11 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 12 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 13 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9 |
|
|
| aliases |
BIT-django-2025-13372, CVE-2025-13372, GHSA-rqw2-ghq9-44m7, PYSEC-2025-104
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3d6k-rdsh-k7hm |
|
| 1 |
| url |
VCID-7jbt-5zw2-vff2 |
| vulnerability_id |
VCID-7jbt-5zw2-vff2 |
| summary |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T21:53:53Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/django@5.2.9 |
| purl |
pkg:pypi/django@5.2.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3ccr-92q5-aqfk |
|
| 2 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 3 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 4 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 5 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 6 |
| vulnerability |
VCID-92z2-3rbz-77h9 |
|
| 7 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 8 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 9 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 10 |
| vulnerability |
VCID-g22z-jue5-8udz |
|
| 11 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 12 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 13 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9 |
|
|
| aliases |
BIT-django-2025-64460, CVE-2025-64460, GHSA-vrcr-9hj9-jcg6, PYSEC-2025-109
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7jbt-5zw2-vff2 |
|
| 2 |
| url |
VCID-9udu-eqvn-mqbj |
| vulnerability_id |
VCID-9udu-eqvn-mqbj |
| summary |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/django@5.2.8 |
| purl |
pkg:pypi/django@5.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3ccr-92q5-aqfk |
|
| 2 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 3 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 4 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 5 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 6 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 7 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 8 |
| vulnerability |
VCID-92z2-3rbz-77h9 |
|
| 9 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 10 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 11 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 12 |
| vulnerability |
VCID-g22z-jue5-8udz |
|
| 13 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 14 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 15 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8 |
|
|
| aliases |
BIT-django-2025-64458, CVE-2025-64458, GHSA-qw25-v68c-qjf3, PYSEC-2025-107
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9udu-eqvn-mqbj |
|
| 3 |
| url |
VCID-a3e2-se1v-2yb5 |
| vulnerability_id |
VCID-a3e2-se1v-2yb5 |
| summary |
An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
BIT-django-2025-27556, CVE-2025-27556, GHSA-wqfg-m96j-85vm, PYSEC-2025-14
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a3e2-se1v-2yb5 |
|
| 4 |
| url |
VCID-ax7m-uv4s-zkc1 |
| vulnerability_id |
VCID-ax7m-uv4s-zkc1 |
| summary |
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/django@5.2.6 |
| purl |
pkg:pypi/django@5.2.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3ccr-92q5-aqfk |
|
| 2 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 3 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 4 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 5 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 6 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 7 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 8 |
| vulnerability |
VCID-92z2-3rbz-77h9 |
|
| 9 |
| vulnerability |
VCID-9udu-eqvn-mqbj |
|
| 10 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 11 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 12 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 13 |
| vulnerability |
VCID-g22z-jue5-8udz |
|
| 14 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 15 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 16 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
| 17 |
| vulnerability |
VCID-u15a-4ste-43cy |
|
| 18 |
| vulnerability |
VCID-vpgq-jhzc-j7h2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.6 |
|
|
| aliases |
BIT-django-2025-57833, CVE-2025-57833, GHSA-6w2r-r2m5-xq5w, PYSEC-2025-105
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ax7m-uv4s-zkc1 |
|
| 5 |
| url |
VCID-chey-b3c1-pbe5 |
| vulnerability_id |
VCID-chey-b3c1-pbe5 |
| summary |
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.) |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@5.1.5 |
| purl |
pkg:pypi/django@5.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 1 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 2 |
| vulnerability |
VCID-9udu-eqvn-mqbj |
|
| 3 |
| vulnerability |
VCID-a3e2-se1v-2yb5 |
|
| 4 |
| vulnerability |
VCID-ax7m-uv4s-zkc1 |
|
| 5 |
| vulnerability |
VCID-em3c-ceug-cubp |
|
| 6 |
| vulnerability |
VCID-fbee-vj2y-cfeb |
|
| 7 |
| vulnerability |
VCID-nyc2-p1rp-xkb4 |
|
| 8 |
| vulnerability |
VCID-u15a-4ste-43cy |
|
| 9 |
| vulnerability |
VCID-vpgq-jhzc-j7h2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.5 |
|
|
| aliases |
BIT-django-2024-56374, CVE-2024-56374, GHSA-qcgg-j2x8-h9g8, PYSEC-2025-1
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-chey-b3c1-pbe5 |
|
| 6 |
| url |
VCID-em3c-ceug-cubp |
| vulnerability_id |
VCID-em3c-ceug-cubp |
| summary |
denial of service |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/django@5.2.1 |
| purl |
pkg:pypi/django@5.2.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3ccr-92q5-aqfk |
|
| 2 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 3 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 4 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 5 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 6 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 7 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 8 |
| vulnerability |
VCID-92z2-3rbz-77h9 |
|
| 9 |
| vulnerability |
VCID-9udu-eqvn-mqbj |
|
| 10 |
| vulnerability |
VCID-ax7m-uv4s-zkc1 |
|
| 11 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 12 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 13 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 14 |
| vulnerability |
VCID-fbee-vj2y-cfeb |
|
| 15 |
| vulnerability |
VCID-g22z-jue5-8udz |
|
| 16 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 17 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 18 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
| 19 |
| vulnerability |
VCID-u15a-4ste-43cy |
|
| 20 |
| vulnerability |
VCID-vpgq-jhzc-j7h2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.1 |
|
|
| aliases |
BIT-django-2025-32873, CVE-2025-32873, GHSA-8j24-cjrq-gr2m, PYSEC-2025-37
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-em3c-ceug-cubp |
|
| 7 |
| url |
VCID-fbee-vj2y-cfeb |
| vulnerability_id |
VCID-fbee-vj2y-cfeb |
| summary |
content spoofing |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
|
| 1 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:12Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/django@5.2.2 |
| purl |
pkg:pypi/django@5.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3ccr-92q5-aqfk |
|
| 2 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 3 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 4 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 5 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 6 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 7 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 8 |
| vulnerability |
VCID-92z2-3rbz-77h9 |
|
| 9 |
| vulnerability |
VCID-9udu-eqvn-mqbj |
|
| 10 |
| vulnerability |
VCID-ax7m-uv4s-zkc1 |
|
| 11 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 12 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 13 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 14 |
| vulnerability |
VCID-g22z-jue5-8udz |
|
| 15 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 16 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 17 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
| 18 |
| vulnerability |
VCID-u15a-4ste-43cy |
|
| 19 |
| vulnerability |
VCID-vpgq-jhzc-j7h2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.2 |
|
|
| aliases |
BIT-django-2025-48432, CVE-2025-48432, GHSA-7xr5-9hcq-chf9, PYSEC-2025-47
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
4.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fbee-vj2y-cfeb |
|
| 8 |
| url |
VCID-nyc2-p1rp-xkb4 |
| vulnerability_id |
VCID-nyc2-p1rp-xkb4 |
| summary |
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T20:30:28Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
|
| aliases |
BIT-django-2025-26699, CVE-2025-26699, GHSA-p3fp-8748-vqfq, PYSEC-2025-13
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nyc2-p1rp-xkb4 |
|
| 9 |
| url |
VCID-u15a-4ste-43cy |
| vulnerability_id |
VCID-u15a-4ste-43cy |
| summary |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/django@5.2.8 |
| purl |
pkg:pypi/django@5.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3ccr-92q5-aqfk |
|
| 2 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 3 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 4 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 5 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 6 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 7 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 8 |
| vulnerability |
VCID-92z2-3rbz-77h9 |
|
| 9 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 10 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 11 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 12 |
| vulnerability |
VCID-g22z-jue5-8udz |
|
| 13 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 14 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 15 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8 |
|
|
| aliases |
BIT-django-2025-64459, CVE-2025-64459, GHSA-frmv-pr5f-9mcr, PYSEC-2025-108
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u15a-4ste-43cy |
|
| 10 |
| url |
VCID-vpgq-jhzc-j7h2 |
| vulnerability_id |
VCID-vpgq-jhzc-j7h2 |
| summary |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-01T19:12:04Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/django@5.2.7 |
| purl |
pkg:pypi/django@5.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3ccr-92q5-aqfk |
|
| 2 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 3 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 4 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 5 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 6 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 7 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 8 |
| vulnerability |
VCID-92z2-3rbz-77h9 |
|
| 9 |
| vulnerability |
VCID-9udu-eqvn-mqbj |
|
| 10 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 11 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 12 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 13 |
| vulnerability |
VCID-g22z-jue5-8udz |
|
| 14 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 15 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 16 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
| 17 |
| vulnerability |
VCID-u15a-4ste-43cy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.7 |
|
|
| aliases |
BIT-django-2025-59681, CVE-2025-59681, GHSA-hpr9-3m2g-3j9p, PYSEC-2025-106
|
| risk_score |
4.4 |
| exploitability |
0.5 |
| weighted_severity |
8.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vpgq-jhzc-j7h2 |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-1umb-2rxg-bbdk |
| vulnerability_id |
VCID-1umb-2rxg-bbdk |
| summary |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 6 |
|
| 7 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-06T16:22:53Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.17 |
| purl |
pkg:pypi/django@4.2.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 2 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 3 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 4 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 5 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 6 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 7 |
| vulnerability |
VCID-9udu-eqvn-mqbj |
|
| 8 |
| vulnerability |
VCID-ax7m-uv4s-zkc1 |
|
| 9 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 10 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 11 |
| vulnerability |
VCID-chey-b3c1-pbe5 |
|
| 12 |
| vulnerability |
VCID-em3c-ceug-cubp |
|
| 13 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 14 |
| vulnerability |
VCID-fbee-vj2y-cfeb |
|
| 15 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 16 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 17 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
| 18 |
| vulnerability |
VCID-nyc2-p1rp-xkb4 |
|
| 19 |
| vulnerability |
VCID-u15a-4ste-43cy |
|
| 20 |
| vulnerability |
VCID-vpgq-jhzc-j7h2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.17 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.1.4 |
| purl |
pkg:pypi/django@5.1.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 1 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 2 |
| vulnerability |
VCID-9udu-eqvn-mqbj |
|
| 3 |
| vulnerability |
VCID-a3e2-se1v-2yb5 |
|
| 4 |
| vulnerability |
VCID-ax7m-uv4s-zkc1 |
|
| 5 |
| vulnerability |
VCID-chey-b3c1-pbe5 |
|
| 6 |
| vulnerability |
VCID-em3c-ceug-cubp |
|
| 7 |
| vulnerability |
VCID-fbee-vj2y-cfeb |
|
| 8 |
| vulnerability |
VCID-nyc2-p1rp-xkb4 |
|
| 9 |
| vulnerability |
VCID-u15a-4ste-43cy |
|
| 10 |
| vulnerability |
VCID-vpgq-jhzc-j7h2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.4 |
|
|
| aliases |
BIT-django-2024-53907, CVE-2024-53907, GHSA-8498-2h75-472j, PYSEC-2024-156
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1umb-2rxg-bbdk |
|
| 1 |
| url |
VCID-4vry-9jdm-nyg9 |
| vulnerability_id |
VCID-4vry-9jdm-nyg9 |
| summary |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.) |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/django/django |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/django/django |
|
| 6 |
|
| 7 |
| reference_url |
https://groups.google.com/g/django-announce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-06T16:19:13Z/ |
|
|
| url |
https://groups.google.com/g/django-announce |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/django@4.2.17 |
| purl |
pkg:pypi/django@4.2.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-32d1-b8f2-hud5 |
|
| 1 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 2 |
| vulnerability |
VCID-5fbx-3yfb-fudx |
|
| 3 |
| vulnerability |
VCID-62jv-ab6d-sqdb |
|
| 4 |
| vulnerability |
VCID-63c7-mkxw-ufav |
|
| 5 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 6 |
| vulnerability |
VCID-92bp-6kte-tyfs |
|
| 7 |
| vulnerability |
VCID-9udu-eqvn-mqbj |
|
| 8 |
| vulnerability |
VCID-ax7m-uv4s-zkc1 |
|
| 9 |
| vulnerability |
VCID-cbsj-1qqg-1ba6 |
|
| 10 |
| vulnerability |
VCID-cg44-thdw-cygg |
|
| 11 |
| vulnerability |
VCID-chey-b3c1-pbe5 |
|
| 12 |
| vulnerability |
VCID-em3c-ceug-cubp |
|
| 13 |
| vulnerability |
VCID-enen-3w2h-g3b8 |
|
| 14 |
| vulnerability |
VCID-fbee-vj2y-cfeb |
|
| 15 |
| vulnerability |
VCID-heum-8mwz-sbcw |
|
| 16 |
| vulnerability |
VCID-j2uz-w2ur-7ud4 |
|
| 17 |
| vulnerability |
VCID-jma1-9ags-xbfm |
|
| 18 |
| vulnerability |
VCID-nyc2-p1rp-xkb4 |
|
| 19 |
| vulnerability |
VCID-u15a-4ste-43cy |
|
| 20 |
| vulnerability |
VCID-vpgq-jhzc-j7h2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.17 |
|
| 1 |
|
| 2 |
| url |
pkg:pypi/django@5.1.4 |
| purl |
pkg:pypi/django@5.1.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3d6k-rdsh-k7hm |
|
| 1 |
| vulnerability |
VCID-7jbt-5zw2-vff2 |
|
| 2 |
| vulnerability |
VCID-9udu-eqvn-mqbj |
|
| 3 |
| vulnerability |
VCID-a3e2-se1v-2yb5 |
|
| 4 |
| vulnerability |
VCID-ax7m-uv4s-zkc1 |
|
| 5 |
| vulnerability |
VCID-chey-b3c1-pbe5 |
|
| 6 |
| vulnerability |
VCID-em3c-ceug-cubp |
|
| 7 |
| vulnerability |
VCID-fbee-vj2y-cfeb |
|
| 8 |
| vulnerability |
VCID-nyc2-p1rp-xkb4 |
|
| 9 |
| vulnerability |
VCID-u15a-4ste-43cy |
|
| 10 |
| vulnerability |
VCID-vpgq-jhzc-j7h2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.4 |
|
|
| aliases |
BIT-django-2024-53908, CVE-2024-53908, GHSA-m9g8-fxxm-xg86, PYSEC-2024-157
|
| risk_score |
4.1 |
| exploitability |
0.5 |
| weighted_severity |
8.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4vry-9jdm-nyg9 |
|
|
|---|