Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/django-allauth@0.14.0
Typepypi
Namespace
Namedjango-allauth
Version0.14.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-35mh-1a8w-gfcb
vulnerability_id VCID-35mh-1a8w-gfcb
summary An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
references
0
reference_url https://allauth.org/news/2025/10/django-allauth-65.13.0-released/
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
url https://allauth.org/news/2025/10/django-allauth-65.13.0-released/
fixed_packages
0
url pkg:pypi/django-allauth@65.13.0
purl pkg:pypi/django-allauth@65.13.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gsy3-ym2x-afbd
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django-allauth@65.13.0
aliases CVE-2025-65430, PYSEC-2025-110
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-35mh-1a8w-gfcb
1
url VCID-gsy3-ym2x-afbd
vulnerability_id VCID-gsy3-ym2x-afbd
summary An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), which may allow an attacker to redirect users to an arbitrary external website via a crafted URL.
references
0
reference_url https://allauth.org/news/2026/02/django-allauth-65.14.1-released/
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://allauth.org/news/2026/02/django-allauth-65.14.1-released/
1
reference_url https://jvn.jp/en/jp/JVN23669411/
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://jvn.jp/en/jp/JVN23669411/
fixed_packages
0
url pkg:pypi/django-allauth@65.14.1
purl pkg:pypi/django-allauth@65.14.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django-allauth@65.14.1
aliases CVE-2026-27982, PYSEC-2026-56
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gsy3-ym2x-afbd
2
url VCID-tazq-wxea-t7d1
vulnerability_id VCID-tazq-wxea-t7d1
summary An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
references
0
reference_url https://allauth.org/news/2025/10/django-allauth-65.13.0-released/
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
url https://allauth.org/news/2025/10/django-allauth-65.13.0-released/
fixed_packages
0
url pkg:pypi/django-allauth@65.13.0
purl pkg:pypi/django-allauth@65.13.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gsy3-ym2x-afbd
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django-allauth@65.13.0
aliases CVE-2025-65431, PYSEC-2025-111
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tazq-wxea-t7d1
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/django-allauth@0.14.0