Search for packages
| purl | pkg:deb/debian/python-django@0?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3sac-ah8j-pucd | Django SQL injection in HasKey(lhs, rhs) on Oracle An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.) |
BIT-django-2024-53908
CVE-2024-53908 GHSA-m9g8-fxxm-xg86 PYSEC-2024-157 |
| VCID-6hfy-2gcp-1uh4 | An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes. |
CVE-2018-16984
GHSA-6mx3-3vqg-hpp2 PYSEC-2018-3 |
| VCID-78r4-85ms-63hm | An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. |
BIT-django-2023-46695
CVE-2023-46695 GHSA-qmf9-6jqf-j8fq PYSEC-2023-222 |
| VCID-84mm-45p6-xkau | Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
CVE-2025-64458
GHSA-qw25-v68c-qjf3 |
| VCID-e9k9-1s9f-dbgv | Django has Inefficient Algorithmic Complexity An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue. |
CVE-2025-14550
GHSA-33mw-q7rj-mjwj |
| VCID-fw2d-s2rt-syfz | Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays. |
CVE-2011-0698
GHSA-7g9h-c88w-r7h2 PYSEC-2011-12 |
| VCID-gan1-9gwu-63d2 | Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. |
BIT-django-2021-35042
CVE-2021-35042 GHSA-xpfp-f569-q3p2 PYSEC-2021-109 |
| VCID-khxh-hjmn-fbdq | The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key. |
CVE-2015-3982
GHSA-6wgp-fwfm-mxp3 PYSEC-2015-19 |
| VCID-nda7-9219-6kce | Django vulnerable to Uncontrolled Resource Consumption An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
CVE-2026-25673
GHSA-8p8v-wh79-9r56 |
| VCID-p9fd-1qx2-8ubc | An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. |
BIT-django-2025-27556
CVE-2025-27556 GHSA-wqfg-m96j-85vm PYSEC-2025-14 |
| VCID-t8d7-68j2-suet | validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. |
CVE-2015-5145
GHSA-cqf7-ff9h-7967 PYSEC-2015-21 |
| VCID-vwt9-q3dt-vbfg | Django is vulnerable to SQL injection in column aliases An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. |
CVE-2025-13372
GHSA-rqw2-ghq9-44m7 |