Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/django@5.2rc1

Type pypi

Namespace

Name django

Version 5.2rc1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.2.12

Latest_non_vulnerable_version 6.0.4

Affected_by_vulnerabilities

url VCID-28g3-ubx6-ebff

vulnerability_id VCID-28g3-ubx6-ebff

summary

Django has Inefficient Algorithmic Complexity
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Seokchan Yoon for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1285.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1285.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-1285

reference_id

reference_type

scores

value	0.00064
scoring_system	epss
scoring_elements	0.20187
published_at	2026-04-02T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.20125
published_at	2026-04-11T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.20106
published_at	2026-04-09T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.20047
published_at	2026-04-08T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.19968
published_at	2026-04-07T12:55:00Z

value	0.00064
scoring_system	epss
scoring_elements	0.20242
published_at	2026-04-04T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20754
published_at	2026-04-18T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20761
published_at	2026-04-16T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20771
published_at	2026-04-13T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20824
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-1285

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1285
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1285

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:22:30Z/

url

https://groups.google.com/g/django-announce

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-1285

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-1285

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id	1126914
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2436340
reference_id	2436340
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2436340

reference_url

https://github.com/advisories/GHSA-4rrr-2h4v-f3j9

reference_id

GHSA-4rrr-2h4v-f3j9

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4rrr-2h4v-f3j9

reference_url	https://access.redhat.com/errata/RHSA-2026:2694
reference_id	RHSA-2026:2694
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2694

reference_url	https://access.redhat.com/errata/RHSA-2026:3958
reference_id	RHSA-2026:3958
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3958

reference_url	https://access.redhat.com/errata/RHSA-2026:3959
reference_id	RHSA-2026:3959
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3959

reference_url	https://access.redhat.com/errata/RHSA-2026:6291
reference_id	RHSA-2026:6291
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6291

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_id

security-releases

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:22:30Z/

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_url	https://usn.ubuntu.com/8009-1/
reference_id	USN-8009-1
reference_type
scores
url	https://usn.ubuntu.com/8009-1/

fixed_packages

url pkg:pypi/django@5.2.11

purl pkg:pypi/django@5.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11

url pkg:pypi/django@6.0.2

purl pkg:pypi/django@6.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2

aliases CVE-2026-1285, GHSA-4rrr-2h4v-f3j9

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-28g3-ubx6-ebff

url VCID-2tfv-rtq7-2fg9

vulnerability_id VCID-2tfv-rtq7-2fg9

summary

Django has Observable Timing Discrepancy
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Stackered for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13473.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13473.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-13473

reference_id

reference_type

scores

value	0.00031
scoring_system	epss
scoring_elements	0.08681
published_at	2026-04-02T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.08755
published_at	2026-04-11T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.0873
published_at	2026-04-08T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.08653
published_at	2026-04-07T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.08729
published_at	2026-04-04T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.10648
published_at	2026-04-12T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.10506
published_at	2026-04-18T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.10488
published_at	2026-04-16T12:55:00Z

value	0.00036
scoring_system	epss
scoring_elements	0.10623
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-13473

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13473
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13473

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:19:11Z/

url

https://groups.google.com/g/django-announce

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-13473

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-13473

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id	1126914
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2436343
reference_id	2436343
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2436343

reference_url

https://github.com/advisories/GHSA-2mcm-79hx-8fxw

reference_id

GHSA-2mcm-79hx-8fxw

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2mcm-79hx-8fxw

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_id

security-releases

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:19:11Z/

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_url	https://usn.ubuntu.com/8009-1/
reference_id	USN-8009-1
reference_type
scores
url	https://usn.ubuntu.com/8009-1/

fixed_packages

url pkg:pypi/django@5.2.11

purl pkg:pypi/django@5.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11

url pkg:pypi/django@6.0.2

purl pkg:pypi/django@6.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2

aliases CVE-2025-13473, GHSA-2mcm-79hx-8fxw

risk_score 2.4

exploitability 0.5

weighted_severity 4.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2tfv-rtq7-2fg9

url VCID-84mm-45p6-xkau

vulnerability_id VCID-84mm-45p6-xkau

summary

Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect`  were subject to a potential  denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64458.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64458.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-64458

reference_id

reference_type

scores

value	0.0002
scoring_system	epss
scoring_elements	0.05452
published_at	2026-04-11T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.0548
published_at	2026-04-09T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05459
published_at	2026-04-08T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05424
published_at	2026-04-07T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05417
published_at	2026-04-04T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05432
published_at	2026-04-13T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05438
published_at	2026-04-12T12:55:00Z

value	0.00024
scoring_system	epss
scoring_elements	0.06443
published_at	2026-04-16T12:55:00Z

value	0.00024
scoring_system	epss
scoring_elements	0.06454
published_at	2026-04-18T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07235
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-64458

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/3790593781d26168e7306b5b2f8ea0309de16242

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/3790593781d26168e7306b5b2f8ea0309de16242

reference_url

https://github.com/django/django/commit/4f5d904b63751dea9ffc3b0e046404a7fa5881ac

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/4f5d904b63751dea9ffc3b0e046404a7fa5881ac

reference_url

https://github.com/django/django/commit/6e13348436fccf8f22982921d6a3a3e65c956a9f

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/6e13348436fccf8f22982921d6a3a3e65c956a9f

reference_url

https://github.com/django/django/commit/770eea38d7a0e9ba9455140b5a9a9e33618226a7

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/770eea38d7a0e9ba9455140b5a9a9e33618226a7

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/

url

https://groups.google.com/g/django-announce

reference_url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2412649
reference_id	2412649
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2412649

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-64458

reference_id

CVE-2025-64458

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-64458

reference_url

https://github.com/advisories/GHSA-qw25-v68c-qjf3

reference_id

GHSA-qw25-v68c-qjf3

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qw25-v68c-qjf3

reference_url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

reference_id

security-releases

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/

url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

fixed_packages

url pkg:pypi/django@5.2.8

purl pkg:pypi/django@5.2.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-28g3-ubx6-ebff

vulnerability	VCID-2tfv-rtq7-2fg9

vulnerability	VCID-8qu1-45n9-gyb1

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-e9k9-1s9f-dbgv

vulnerability	VCID-msge-1mfu-7qfa

vulnerability	VCID-nda7-9219-6kce

vulnerability	VCID-ukkt-wgau-t3et

vulnerability	VCID-vwt9-q3dt-vbfg

vulnerability	VCID-ysyp-h7ja-yff3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8

url pkg:pypi/django@6.0a1

purl pkg:pypi/django@6.0a1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-28g3-ubx6-ebff

vulnerability	VCID-2tfv-rtq7-2fg9

vulnerability	VCID-8qu1-45n9-gyb1

vulnerability	VCID-e9k9-1s9f-dbgv

vulnerability	VCID-msge-1mfu-7qfa

vulnerability	VCID-ysyp-h7ja-yff3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0a1

aliases CVE-2025-64458, GHSA-qw25-v68c-qjf3

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-84mm-45p6-xkau

url VCID-8qu1-45n9-gyb1

vulnerability_id VCID-8qu1-45n9-gyb1

summary

Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Solomon Kebede for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1287.json

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1287.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-1287

reference_id

reference_type

scores

value	0.0001
scoring_system	epss
scoring_elements	0.01069
published_at	2026-04-02T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01067
published_at	2026-04-11T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01083
published_at	2026-04-09T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01084
published_at	2026-04-08T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01079
published_at	2026-04-07T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01072
published_at	2026-04-04T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01433
published_at	2026-04-16T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01444
published_at	2026-04-13T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01443
published_at	2026-04-12T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01446
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-1287

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1287
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1287

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:26:40Z/

url

https://groups.google.com/g/django-announce

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-1287

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-1287

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id	1126914
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2436339
reference_id	2436339
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2436339

reference_url

https://github.com/advisories/GHSA-gvg8-93h5-g6qq

reference_id

GHSA-gvg8-93h5-g6qq

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gvg8-93h5-g6qq

reference_url	https://access.redhat.com/errata/RHSA-2026:2694
reference_id	RHSA-2026:2694
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2694

reference_url	https://access.redhat.com/errata/RHSA-2026:3958
reference_id	RHSA-2026:3958
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3958

reference_url	https://access.redhat.com/errata/RHSA-2026:3959
reference_id	RHSA-2026:3959
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3959

reference_url	https://access.redhat.com/errata/RHSA-2026:3960
reference_id	RHSA-2026:3960
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3960

reference_url	https://access.redhat.com/errata/RHSA-2026:3962
reference_id	RHSA-2026:3962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3962

reference_url	https://access.redhat.com/errata/RHSA-2026:6291
reference_id	RHSA-2026:6291
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6291

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_id

security-releases

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:26:40Z/

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_url	https://usn.ubuntu.com/8009-1/
reference_id	USN-8009-1
reference_type
scores
url	https://usn.ubuntu.com/8009-1/

fixed_packages

url pkg:pypi/django@5.2.11

purl pkg:pypi/django@5.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11

url pkg:pypi/django@6.0.2

purl pkg:pypi/django@6.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2

aliases CVE-2026-1287, GHSA-gvg8-93h5-g6qq

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8qu1-45n9-gyb1

url VCID-9uzd-mmyv-mfh4

vulnerability_id VCID-9uzd-mmyv-mfh4

summary

Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-64459

reference_id

reference_type

scores

value	0.00191
scoring_system	epss
scoring_elements	0.41087
published_at	2026-04-02T12:55:00Z

value	0.00576
scoring_system	epss
scoring_elements	0.68747
published_at	2026-04-04T12:55:00Z

value	0.00576
scoring_system	epss
scoring_elements	0.68774
published_at	2026-04-13T12:55:00Z

value	0.00576
scoring_system	epss
scoring_elements	0.68804
published_at	2026-04-12T12:55:00Z

value	0.00576
scoring_system	epss
scoring_elements	0.68818
published_at	2026-04-11T12:55:00Z

value	0.00576
scoring_system	epss
scoring_elements	0.68795
published_at	2026-04-09T12:55:00Z

value	0.00576
scoring_system	epss
scoring_elements	0.68776
published_at	2026-04-08T12:55:00Z

value	0.00576
scoring_system	epss
scoring_elements	0.68724
published_at	2026-04-07T12:55:00Z

value	0.00642
scoring_system	epss
scoring_elements	0.70648
published_at	2026-04-18T12:55:00Z

value	0.00642
scoring_system	epss
scoring_elements	0.7064
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-64459

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85

reference_url

https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4

reference_url

https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b

reference_url

https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241

reference_url

https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/

url

https://groups.google.com/g/django-announce

reference_url

https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

reference_url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120139
reference_id	1120139
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120139

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2412651
reference_id	2412651
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2412651

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52456.py
reference_id	CVE-2025-64459
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52456.py

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-64459

reference_id

CVE-2025-64459

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-64459

reference_url

https://github.com/advisories/GHSA-frmv-pr5f-9mcr

reference_id

GHSA-frmv-pr5f-9mcr

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-frmv-pr5f-9mcr

reference_url	https://access.redhat.com/errata/RHSA-2025:23069
reference_id	RHSA-2025:23069
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23069

reference_url	https://access.redhat.com/errata/RHSA-2025:23070
reference_id	RHSA-2025:23070
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23070

reference_url	https://access.redhat.com/errata/RHSA-2025:23130
reference_id	RHSA-2025:23130
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23130

reference_url	https://access.redhat.com/errata/RHSA-2025:23131
reference_id	RHSA-2025:23131
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23131

reference_url	https://access.redhat.com/errata/RHSA-2025:23133
reference_id	RHSA-2025:23133
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23133

reference_url	https://access.redhat.com/errata/RHSA-2025:23196
reference_id	RHSA-2025:23196
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23196

reference_url	https://access.redhat.com/errata/RHSA-2026:1596
reference_id	RHSA-2026:1596
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1596

reference_url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

reference_id

security-releases

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/

url

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

reference_url	https://usn.ubuntu.com/7859-1/
reference_id	USN-7859-1
reference_type
scores
url	https://usn.ubuntu.com/7859-1/

fixed_packages

url pkg:pypi/django@5.2.8

purl pkg:pypi/django@5.2.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-28g3-ubx6-ebff

vulnerability	VCID-2tfv-rtq7-2fg9

vulnerability	VCID-8qu1-45n9-gyb1

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-e9k9-1s9f-dbgv

vulnerability	VCID-msge-1mfu-7qfa

vulnerability	VCID-nda7-9219-6kce

vulnerability	VCID-ukkt-wgau-t3et

vulnerability	VCID-vwt9-q3dt-vbfg

vulnerability	VCID-ysyp-h7ja-yff3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8

url pkg:pypi/django@6.0a1

purl pkg:pypi/django@6.0a1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-28g3-ubx6-ebff

vulnerability	VCID-2tfv-rtq7-2fg9

vulnerability	VCID-8qu1-45n9-gyb1

vulnerability	VCID-e9k9-1s9f-dbgv

vulnerability	VCID-msge-1mfu-7qfa

vulnerability	VCID-ysyp-h7ja-yff3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0a1

aliases CVE-2025-64459, GHSA-frmv-pr5f-9mcr

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9uzd-mmyv-mfh4

url VCID-e9k9-1s9f-dbgv

vulnerability_id VCID-e9k9-1s9f-dbgv

summary

Django has Inefficient Algorithmic Complexity
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Jiyong Yang for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14550.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14550.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-14550

reference_id

reference_type

scores

value	0.00059
scoring_system	epss
scoring_elements	0.18717
published_at	2026-04-02T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18625
published_at	2026-04-11T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18621
published_at	2026-04-09T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18568
published_at	2026-04-08T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18487
published_at	2026-04-07T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18771
published_at	2026-04-04T12:55:00Z

value	0.00062
scoring_system	epss
scoring_elements	0.1923
published_at	2026-04-18T12:55:00Z

value	0.00062
scoring_system	epss
scoring_elements	0.19221
published_at	2026-04-16T12:55:00Z

value	0.00062
scoring_system	epss
scoring_elements	0.19259
published_at	2026-04-13T12:55:00Z

value	0.00062
scoring_system	epss
scoring_elements	0.19314
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-14550

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:27:25Z/

url

https://groups.google.com/g/django-announce

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-14550

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-14550

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id	1126914
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2436341
reference_id	2436341
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2436341

reference_url

https://github.com/advisories/GHSA-33mw-q7rj-mjwj

reference_id

GHSA-33mw-q7rj-mjwj

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-33mw-q7rj-mjwj

reference_url	https://access.redhat.com/errata/RHSA-2026:2694
reference_id	RHSA-2026:2694
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2694

reference_url	https://access.redhat.com/errata/RHSA-2026:3958
reference_id	RHSA-2026:3958
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3958

reference_url	https://access.redhat.com/errata/RHSA-2026:3959
reference_id	RHSA-2026:3959
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3959

reference_url	https://access.redhat.com/errata/RHSA-2026:6291
reference_id	RHSA-2026:6291
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6291

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_id

security-releases

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:27:25Z/

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_url	https://usn.ubuntu.com/8009-1/
reference_id	USN-8009-1
reference_type
scores
url	https://usn.ubuntu.com/8009-1/

fixed_packages

url pkg:pypi/django@5.2.11

purl pkg:pypi/django@5.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11

url pkg:pypi/django@6.0.2

purl pkg:pypi/django@6.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2

aliases CVE-2025-14550, GHSA-33mw-q7rj-mjwj

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e9k9-1s9f-dbgv

url VCID-msge-1mfu-7qfa

vulnerability_id VCID-msge-1mfu-7qfa

summary

Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Solomon Kebede for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1312.json

reference_id

reference_type

scores

value	8.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1312.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-1312

reference_id

reference_type

scores

value	0.0001
scoring_system	epss
scoring_elements	0.01069
published_at	2026-04-02T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01067
published_at	2026-04-11T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01083
published_at	2026-04-09T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01084
published_at	2026-04-08T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01079
published_at	2026-04-07T12:55:00Z

value	0.0001
scoring_system	epss
scoring_elements	0.01072
published_at	2026-04-04T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01433
published_at	2026-04-16T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01444
published_at	2026-04-13T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01443
published_at	2026-04-12T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01446
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-1312

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1312
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1312

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/005d60d97c4dfb117503bdb6f2facfcaf9315d84

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/005d60d97c4dfb117503bdb6f2facfcaf9315d84

reference_url

https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf222

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf222

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:56:09Z/

url

https://groups.google.com/g/django-announce

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-1312

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-1312

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id	1126914
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2436342
reference_id	2436342
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2436342

reference_url

https://github.com/advisories/GHSA-6426-9fv3-65x8

reference_id

GHSA-6426-9fv3-65x8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6426-9fv3-65x8

reference_url	https://access.redhat.com/errata/RHSA-2026:2694
reference_id	RHSA-2026:2694
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2694

reference_url	https://access.redhat.com/errata/RHSA-2026:3958
reference_id	RHSA-2026:3958
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3958

reference_url	https://access.redhat.com/errata/RHSA-2026:3959
reference_id	RHSA-2026:3959
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3959

reference_url	https://access.redhat.com/errata/RHSA-2026:3960
reference_id	RHSA-2026:3960
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3960

reference_url	https://access.redhat.com/errata/RHSA-2026:3962
reference_id	RHSA-2026:3962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3962

reference_url	https://access.redhat.com/errata/RHSA-2026:6291
reference_id	RHSA-2026:6291
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6291

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_id

security-releases

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:56:09Z/

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_url	https://usn.ubuntu.com/8009-1/
reference_id	USN-8009-1
reference_type
scores
url	https://usn.ubuntu.com/8009-1/

fixed_packages

url pkg:pypi/django@5.2.11

purl pkg:pypi/django@5.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11

url pkg:pypi/django@6.0.2

purl pkg:pypi/django@6.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2

aliases CVE-2026-1312, GHSA-6426-9fv3-65x8

risk_score 3.9

exploitability 0.5

weighted_severity 7.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-msge-1mfu-7qfa

url VCID-ukkt-wgau-t3et

vulnerability_id VCID-ukkt-wgau-t3et

summary

Django is vulnerable to DoS via XML serializer text extraction
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64460.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64460.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-64460

reference_id

reference_type

scores

value	0.00063
scoring_system	epss
scoring_elements	0.19807
published_at	2026-04-02T12:55:00Z

value	0.00074
scoring_system	epss
scoring_elements	0.22365
published_at	2026-04-16T12:55:00Z

value	0.00074
scoring_system	epss
scoring_elements	0.22349
published_at	2026-04-13T12:55:00Z

value	0.00074
scoring_system	epss
scoring_elements	0.22405
published_at	2026-04-12T12:55:00Z

value	0.00074
scoring_system	epss
scoring_elements	0.22447
published_at	2026-04-11T12:55:00Z

value	0.00074
scoring_system	epss
scoring_elements	0.2237
published_at	2026-04-08T12:55:00Z

value	0.00074
scoring_system	epss
scoring_elements	0.22288
published_at	2026-04-07T12:55:00Z

value	0.00074
scoring_system	epss
scoring_elements	0.225
published_at	2026-04-04T12:55:00Z

value	0.00074
scoring_system	epss
scoring_elements	0.22425
published_at	2026-04-09T12:55:00Z

value	0.00074
scoring_system	epss
scoring_elements	0.2236
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-64460

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b

reference_url

https://github.com/django/django/commit/1dbd07a608e495a0c229edaaf84d58d8976313b5

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/1dbd07a608e495a0c229edaaf84d58d8976313b5

reference_url

https://github.com/django/django/commit/4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0

reference_url

https://github.com/django/django/commit/99e7d22f55497278d0bcb2e15e72ef532e62a31d

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/99e7d22f55497278d0bcb2e15e72ef532e62a31d

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T21:53:53Z/

url

https://groups.google.com/g/django-announce

reference_url

https://www.djangoproject.com/weblog/2025/dec/02/security-releases

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2025/dec/02/security-releases

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788
reference_id	1121788
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2418366
reference_id	2418366
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2418366

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-64460

reference_id

CVE-2025-64460

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-64460

reference_url

https://github.com/advisories/GHSA-vrcr-9hj9-jcg6

reference_id

GHSA-vrcr-9hj9-jcg6

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-vrcr-9hj9-jcg6

reference_url	https://access.redhat.com/errata/RHSA-2026:0414
reference_id	RHSA-2026:0414
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0414

reference_url	https://access.redhat.com/errata/RHSA-2026:1249
reference_id	RHSA-2026:1249
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1249

reference_url	https://access.redhat.com/errata/RHSA-2026:1497
reference_id	RHSA-2026:1497
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1497

reference_url	https://access.redhat.com/errata/RHSA-2026:1506
reference_id	RHSA-2026:1506
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1506

reference_url	https://access.redhat.com/errata/RHSA-2026:1599
reference_id	RHSA-2026:1599
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1599

reference_url	https://access.redhat.com/errata/RHSA-2026:1609
reference_id	RHSA-2026:1609
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1609

reference_url

https://www.djangoproject.com/weblog/2025/dec/02/security-releases/

reference_id

security-releases

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T21:53:53Z/

url

https://www.djangoproject.com/weblog/2025/dec/02/security-releases/

reference_url	https://usn.ubuntu.com/7903-1/
reference_id	USN-7903-1
reference_type
scores
url	https://usn.ubuntu.com/7903-1/

fixed_packages

url pkg:pypi/django@5.2.9

purl pkg:pypi/django@5.2.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-28g3-ubx6-ebff

vulnerability	VCID-2tfv-rtq7-2fg9

vulnerability	VCID-8qu1-45n9-gyb1

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-e9k9-1s9f-dbgv

vulnerability	VCID-msge-1mfu-7qfa

vulnerability	VCID-nda7-9219-6kce

vulnerability	VCID-ysyp-h7ja-yff3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9

url pkg:pypi/django@6.0a1

purl pkg:pypi/django@6.0a1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-28g3-ubx6-ebff

vulnerability	VCID-2tfv-rtq7-2fg9

vulnerability	VCID-8qu1-45n9-gyb1

vulnerability	VCID-e9k9-1s9f-dbgv

vulnerability	VCID-msge-1mfu-7qfa

vulnerability	VCID-ysyp-h7ja-yff3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0a1

aliases CVE-2025-64460, GHSA-vrcr-9hj9-jcg6

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ukkt-wgau-t3et

url VCID-vwt9-q3dt-vbfg

vulnerability_id VCID-vwt9-q3dt-vbfg

summary

Django is vulnerable to SQL injection in column aliases
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13372.json

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13372.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-13372

reference_id

reference_type

scores

value	0.00011
scoring_system	epss
scoring_elements	0.01185
published_at	2026-04-18T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01173
published_at	2026-04-16T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01184
published_at	2026-04-13T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01181
published_at	2026-04-12T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01188
published_at	2026-04-11T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01201
published_at	2026-04-08T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01194
published_at	2026-04-07T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01182
published_at	2026-04-04T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01203
published_at	2026-04-09T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00835
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-13372

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf

reference_url

https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0

reference_url

https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e

reference_url

https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355

reference_url

https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:43:29Z/

url

https://groups.google.com/g/django-announce

reference_url

https://www.djangoproject.com/weblog/2025/dec/02/security-releases

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2025/dec/02/security-releases

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788
reference_id	1121788
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2418372
reference_id	2418372
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2418372

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-13372

reference_id

CVE-2025-13372

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-13372

reference_url

https://github.com/advisories/GHSA-rqw2-ghq9-44m7

reference_id

GHSA-rqw2-ghq9-44m7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rqw2-ghq9-44m7

reference_url

https://www.djangoproject.com/weblog/2025/dec/02/security-releases/

reference_id

security-releases

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:43:29Z/

url

https://www.djangoproject.com/weblog/2025/dec/02/security-releases/

reference_url	https://usn.ubuntu.com/7903-1/
reference_id	USN-7903-1
reference_type
scores
url	https://usn.ubuntu.com/7903-1/

fixed_packages

url pkg:pypi/django@5.2.9

purl pkg:pypi/django@5.2.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-28g3-ubx6-ebff

vulnerability	VCID-2tfv-rtq7-2fg9

vulnerability	VCID-8qu1-45n9-gyb1

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-e9k9-1s9f-dbgv

vulnerability	VCID-msge-1mfu-7qfa

vulnerability	VCID-nda7-9219-6kce

vulnerability	VCID-ysyp-h7ja-yff3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9

url pkg:pypi/django@6.0a1

purl pkg:pypi/django@6.0a1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-28g3-ubx6-ebff

vulnerability	VCID-2tfv-rtq7-2fg9

vulnerability	VCID-8qu1-45n9-gyb1

vulnerability	VCID-e9k9-1s9f-dbgv

vulnerability	VCID-msge-1mfu-7qfa

vulnerability	VCID-ysyp-h7ja-yff3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0a1

aliases CVE-2025-13372, GHSA-rqw2-ghq9-44m7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vwt9-q3dt-vbfg

url VCID-w4pr-k5nj-ckgy

vulnerability_id VCID-w4pr-k5nj-ckgy

summary

Django is subject to SQL injection through its column aliases
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57833.json

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57833.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-57833

reference_id

reference_type

scores

value	0.00021
scoring_system	epss
scoring_elements	0.05549
published_at	2026-04-18T12:55:00Z

value	0.00021
scoring_system	epss
scoring_elements	0.05603
published_at	2026-04-11T12:55:00Z

value	0.00021
scoring_system	epss
scoring_elements	0.05535
published_at	2026-04-16T12:55:00Z

value	0.00021
scoring_system	epss
scoring_elements	0.05586
published_at	2026-04-13T12:55:00Z

value	0.00021
scoring_system	epss
scoring_elements	0.05593
published_at	2026-04-12T12:55:00Z

value	0.00021
scoring_system	epss
scoring_elements	0.05631
published_at	2026-04-09T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05798
published_at	2026-04-02T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05834
published_at	2026-04-04T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05828
published_at	2026-04-07T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05868
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-57833

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5

reference_url

https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92

reference_url

https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/

url

https://groups.google.com/g/django-announce

reference_url

https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html

reference_url

https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/

url

https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-57833

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-57833

reference_url

https://www.djangoproject.com/weblog/2025/sep/03/security-releases

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2025/sep/03/security-releases

reference_url

http://www.openwall.com/lists/oss-security/2025/09/03/3

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2025/09/03/3

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113865
reference_id	1113865
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113865

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2392990
reference_id	2392990
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2392990

reference_url

https://github.com/advisories/GHSA-6w2r-r2m5-xq5w

reference_id

GHSA-6w2r-r2m5-xq5w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6w2r-r2m5-xq5w

reference_url	https://access.redhat.com/errata/RHSA-2025:16403
reference_id	RHSA-2025:16403
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:16403

reference_url	https://access.redhat.com/errata/RHSA-2025:16404
reference_id	RHSA-2025:16404
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:16404

reference_url	https://access.redhat.com/errata/RHSA-2025:16487
reference_id	RHSA-2025:16487
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:16487

reference_url	https://access.redhat.com/errata/RHSA-2025:16514
reference_id	RHSA-2025:16514
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:16514

reference_url	https://access.redhat.com/errata/RHSA-2025:17498
reference_id	RHSA-2025:17498
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:17498

reference_url	https://access.redhat.com/errata/RHSA-2025:17499
reference_id	RHSA-2025:17499
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:17499

reference_url	https://access.redhat.com/errata/RHSA-2025:17500
reference_id	RHSA-2025:17500
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:17500

reference_url	https://access.redhat.com/errata/RHSA-2025:17606
reference_id	RHSA-2025:17606
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:17606

reference_url	https://access.redhat.com/errata/RHSA-2025:17613
reference_id	RHSA-2025:17613
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:17613

reference_url	https://access.redhat.com/errata/RHSA-2025:17614
reference_id	RHSA-2025:17614
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:17614

reference_url

https://www.djangoproject.com/weblog/2025/sep/03/security-releases/

reference_id

security-releases

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/

url

https://www.djangoproject.com/weblog/2025/sep/03/security-releases/

reference_url	https://usn.ubuntu.com/7736-1/
reference_id	USN-7736-1
reference_type
scores
url	https://usn.ubuntu.com/7736-1/

fixed_packages

url pkg:pypi/django@5.2.6

purl pkg:pypi/django@5.2.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-28g3-ubx6-ebff

vulnerability	VCID-2tfv-rtq7-2fg9

vulnerability	VCID-84mm-45p6-xkau

vulnerability	VCID-8qu1-45n9-gyb1

vulnerability	VCID-9uzd-mmyv-mfh4

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-c6xy-v4sf-u3hn

vulnerability	VCID-e9k9-1s9f-dbgv

vulnerability	VCID-msge-1mfu-7qfa

vulnerability	VCID-mux4-uv98-hbbw

vulnerability	VCID-nda7-9219-6kce

vulnerability	VCID-ukkt-wgau-t3et

vulnerability	VCID-vwt9-q3dt-vbfg

vulnerability	VCID-ysyp-h7ja-yff3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.6

aliases CVE-2025-57833, GHSA-6w2r-r2m5-xq5w

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w4pr-k5nj-ckgy

url VCID-ysyp-h7ja-yff3

vulnerability_id VCID-ysyp-h7ja-yff3

summary

Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Tarek Nakkouch for reporting this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1207.json

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1207.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-1207

reference_id

reference_type

scores

value	0.03841
scoring_system	epss
scoring_elements	0.88188
published_at	2026-04-11T12:55:00Z

value	0.03841
scoring_system	epss
scoring_elements	0.88178
published_at	2026-04-09T12:55:00Z

value	0.03841
scoring_system	epss
scoring_elements	0.88172
published_at	2026-04-08T12:55:00Z

value	0.03841
scoring_system	epss
scoring_elements	0.88153
published_at	2026-04-07T12:55:00Z

value	0.03841
scoring_system	epss
scoring_elements	0.88146
published_at	2026-04-04T12:55:00Z

value	0.04424
scoring_system	epss
scoring_elements	0.89035
published_at	2026-04-13T12:55:00Z

value	0.04424
scoring_system	epss
scoring_elements	0.89037
published_at	2026-04-12T12:55:00Z

value	0.04424
scoring_system	epss
scoring_elements	0.89048
published_at	2026-04-18T12:55:00Z

value	0.05126
scoring_system	epss
scoring_elements	0.8982
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-1207

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1207
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1207

reference_url

https://docs.djangoproject.com/en/dev/releases/security

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://docs.djangoproject.com/en/dev/releases/security

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/django/django

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django

reference_url

https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8

reference_url

https://groups.google.com/g/django-announce

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:21:06Z/

url

https://groups.google.com/g/django-announce

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-1207

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-1207

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id	1126914
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2436338
reference_id	2436338
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2436338

reference_url

https://github.com/advisories/GHSA-mwm9-4648-f68q

reference_id

GHSA-mwm9-4648-f68q

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mwm9-4648-f68q

reference_url	https://access.redhat.com/errata/RHSA-2026:2694
reference_id	RHSA-2026:2694
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2694

reference_url	https://access.redhat.com/errata/RHSA-2026:3958
reference_id	RHSA-2026:3958
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3958

reference_url	https://access.redhat.com/errata/RHSA-2026:3959
reference_id	RHSA-2026:3959
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3959

reference_url	https://access.redhat.com/errata/RHSA-2026:3960
reference_id	RHSA-2026:3960
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3960

reference_url	https://access.redhat.com/errata/RHSA-2026:3962
reference_id	RHSA-2026:3962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3962

reference_url	https://access.redhat.com/errata/RHSA-2026:6291
reference_id	RHSA-2026:6291
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6291

reference_url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_id

security-releases

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:21:06Z/

url

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

reference_url	https://usn.ubuntu.com/8009-1/
reference_id	USN-8009-1
reference_type
scores
url	https://usn.ubuntu.com/8009-1/

fixed_packages

url pkg:pypi/django@5.2.11

purl pkg:pypi/django@5.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11

url pkg:pypi/django@6.0.2

purl pkg:pypi/django@6.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ac4c-321h-tqfk

vulnerability	VCID-nda7-9219-6kce

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2

aliases CVE-2026-1207, GHSA-mwm9-4648-f68q

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ysyp-h7ja-yff3

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2rc1

Package Instance