Search for packages
| purl | pkg:deb/debian/python-django@0.95.1-1etch2 |
| Next non-vulnerable version | 3:3.2.25-0+deb12u3 |
| Latest non-vulnerable version | 3:5.2.14-2 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1c7j-evpp-53eb
Aliases: BIT-django-2024-39330 CVE-2024-39330 GHSA-9jmf-237g-qf46 PYSEC-2024-58 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-1umb-2rxg-bbdk
Aliases: BIT-django-2024-53907 CVE-2024-53907 GHSA-8498-2h75-472j PYSEC-2024-156 |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-2bh9-k4at-r7hz
Aliases: BIT-django-2020-7471 CVE-2020-7471 GHSA-hmr4-m2h5-33qx PYSEC-2020-35 |
sql injection |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-2bx5-jaat-u7ek
Aliases: CVE-2015-5964 GHSA-x38m-486c-2wr9 PYSEC-2015-23 |
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors. |
Affected by 50 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-2jvg-udsm-nkax
Aliases: CVE-2018-14574 GHSA-5hg3-6c2f-f3wr PYSEC-2018-2 |
open redirect |
Affected by 30 other vulnerabilities. |
|
VCID-3d6k-rdsh-k7hm
Aliases: BIT-django-2025-13372 CVE-2025-13372 GHSA-rqw2-ghq9-44m7 PYSEC-2025-104 |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-5a2y-2m62-1qfa
Aliases: BIT-django-2020-13254 CVE-2020-13254 GHSA-wpjr-j57x-wxfw PYSEC-2020-31 |
multiple issues |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-5sxw-p38k-q7cp
Aliases: CVE-2018-7537 GHSA-2f9x-5v75-3qv4 PYSEC-2018-6 |
denial of service |
Affected by 38 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-68nb-696n-n3bf
Aliases: BIT-django-2024-41991 CVE-2024-41991 GHSA-r836-hh6v-rg5g PYSEC-2024-69 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-697r-xhy8-efa5
Aliases: CVE-2016-2513 GHSA-fp6p-5xvw-m74f PYSEC-2016-16 |
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. |
Affected by 50 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-6fef-e9tf-7kag
Aliases: CVE-2015-5963 GHSA-pgxh-wfw4-jx2v PYSEC-2015-22 |
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record. |
Affected by 50 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-6p2m-vyft-xfe8
Aliases: CVE-2015-8213 GHSA-6wcr-wcqm-3mfh PYSEC-2015-11 |
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. |
Affected by 50 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-7jbt-5zw2-vff2
Aliases: BIT-django-2025-64460 CVE-2025-64460 GHSA-vrcr-9hj9-jcg6 PYSEC-2025-109 |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-7u6e-a3ng-fude
Aliases: BIT-django-2023-43665 CVE-2023-43665 GHSA-h8gc-pgj2-vjm3 PYSEC-2023-226 |
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-9bkv-g3r4-u7h7
Aliases: CVE-2014-0482 GHSA-625g-gx8c-xcmg PYSEC-2014-6 |
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. |
Affected by 50 other vulnerabilities. |
|
VCID-9zch-bnz9-97g4
Aliases: CVE-2013-4315 GHSA-vjjp-9r83-22rc PYSEC-2013-20 |
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag. |
Affected by 50 other vulnerabilities. |
|
VCID-a799-3q3k-1bc2
Aliases: CVE-2015-0220 GHSA-gv98-g628-m9x5 PYSEC-2015-5 |
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL. |
Affected by 50 other vulnerabilities. |
|
VCID-ax42-esfz-vud2
Aliases: CVE-2024-45231 GHSA-rrqc-c2jx-6jgv |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
|
VCID-ax7m-uv4s-zkc1
Aliases: BIT-django-2025-57833 CVE-2025-57833 GHSA-6w2r-r2m5-xq5w PYSEC-2025-105 |
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-azdn-r9pz-pqd4
Aliases: CVE-2015-5143 GHSA-h582-2pch-3xv3 PYSEC-2015-20 |
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys. |
Affected by 50 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-bjn5-qpmt-qffx
Aliases: BIT-django-2024-27351 CVE-2024-27351 GHSA-vm8q-m57g-pff3 PYSEC-2024-47 |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-bnm5-r2rs-zyeb
Aliases: CVE-2014-0472 GHSA-rvq6-mrpv-m6rm PYSEC-2014-1 |
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path." |
Affected by 50 other vulnerabilities. |
|
VCID-bq5s-uknu-z7cn
Aliases: BIT-django-2024-42005 CVE-2024-42005 GHSA-pv4p-cwwg-4rph PYSEC-2024-70 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-bxu2-wqcg-1ueh
Aliases: CVE-2019-12308 GHSA-7rp2-fm2h-wchj PYSEC-2019-79 |
cross-site scripting |
Affected by 30 other vulnerabilities. |
|
VCID-cbg1-8tp8-7ube
Aliases: CVE-2016-6186 GHSA-c8c8-9472-w52h PYSEC-2016-2 |
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML. |
Affected by 38 other vulnerabilities. |
|
VCID-chey-b3c1-pbe5
Aliases: BIT-django-2024-56374 CVE-2024-56374 GHSA-qcgg-j2x8-h9g8 PYSEC-2025-1 |
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.) |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-ctk2-ykg7-h7ag
Aliases: BIT-django-2023-41164 CVE-2023-41164 GHSA-7h4p-27mh-hmrw PYSEC-2023-225 |
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-d156-9d9y-nygj
Aliases: CVE-2014-3730 GHSA-vq3h-3q7v-9prw PYSEC-2014-20 |
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." |
Affected by 50 other vulnerabilities. |
|
VCID-em3c-ceug-cubp
Aliases: BIT-django-2025-32873 CVE-2025-32873 GHSA-8j24-cjrq-gr2m PYSEC-2025-37 |
denial of service |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-evu1-efcj-gfc5
Aliases: CVE-2019-14235 GHSA-v9qg-3j8p-r63v PYSEC-2019-14 |
multiple issues |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-fbee-vj2y-cfeb
Aliases: BIT-django-2025-48432 CVE-2025-48432 GHSA-7xr5-9hcq-chf9 PYSEC-2025-47 |
content spoofing |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-fkch-835a-4ffd
Aliases: CVE-2015-5144 GHSA-q5qw-4364-5hhm PYSEC-2015-10 |
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. |
Affected by 50 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-fynq-usj6-rfd3
Aliases: CVE-2019-19844 GHSA-vfq6-hq5r-27r6 PYSEC-2019-16 |
insufficient validation |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-gky3-h8cp-mue9
Aliases: CVE-2015-2317 GHSA-7fq8-4pv5-5w5c PYSEC-2015-9 |
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. |
Affected by 50 other vulnerabilities. |
|
VCID-gzrn-p744-g7f2
Aliases: CVE-2014-0480 GHSA-f7cm-ccfp-3q4r PYSEC-2014-4 |
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated. |
Affected by 50 other vulnerabilities. |
|
VCID-hs1y-thzf-qqct
Aliases: CVE-2016-9013 GHSA-mv8g-fhh6-6267 PYSEC-2016-17 |
multiple issues |
Affected by 38 other vulnerabilities. |
|
VCID-j1jc-m7e2-5yck
Aliases: CVE-2018-7536 GHSA-r28v-mw67-m5p9 PYSEC-2018-5 |
denial of service |
Affected by 38 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-kn6j-a6az-skdu
Aliases: CVE-2014-1418 GHSA-q7q2-qf2q-rw3w PYSEC-2014-19 |
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers. |
Affected by 50 other vulnerabilities. |
|
VCID-kv5d-p5n4-r7dp
Aliases: BIT-django-2024-39614 CVE-2024-39614 GHSA-f6f8-9mx6-9mx2 PYSEC-2024-59 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-kxtt-861w-efg6
Aliases: CVE-2013-6044 GHSA-9cwg-mhxf-hh59 PYSEC-2013-21 |
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme. |
Affected by 50 other vulnerabilities. |
|
VCID-n9cz-g44c-4fht
Aliases: CVE-2019-14233 GHSA-h5jv-4p7w-64jg PYSEC-2019-12 |
multiple issues |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-n9xn-xrqw-qbfk
Aliases: CVE-2015-0221 GHSA-jhjg-w2cp-5j44 PYSEC-2015-6 |
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. |
Affected by 50 other vulnerabilities. |
|
VCID-nh19-fbce-wbfu
Aliases: CVE-2016-2512 GHSA-pw27-w7w4-9qc7 PYSEC-2016-15 |
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com. |
Affected by 50 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-nyc2-p1rp-xkb4
Aliases: BIT-django-2025-26699 CVE-2025-26699 GHSA-p3fp-8748-vqfq PYSEC-2025-13 |
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-ptk1-k7b2-gkdm
Aliases: CVE-2017-7233 GHSA-37hp-765x-j95x PYSEC-2017-9 |
multiple issues |
Affected by 38 other vulnerabilities. |
|
VCID-q8cc-4wb1-afed
Aliases: CVE-2013-1443 GHSA-4c42-4rxm-x6qf PYSEC-2013-18 |
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed. |
Affected by 50 other vulnerabilities. |
|
VCID-qqqc-epf2-pqh9
Aliases: DSA-2740-2 python-django |
regression |
Affected by 50 other vulnerabilities. |
|
VCID-s4vz-wfcp-aygd
Aliases: CVE-2016-9014 GHSA-3f2c-jm6v-cr35 PYSEC-2016-18 |
multiple issues |
Affected by 38 other vulnerabilities. |
|
VCID-sz4x-rr8f-a3hf
Aliases: BIT-django-2024-39329 CVE-2024-39329 GHSA-x7q2-wr7g-xqmf PYSEC-2024-57 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-ty5v-6ub3-fufy
Aliases: CVE-2014-0481 GHSA-296w-6qhq-gf92 PYSEC-2014-5 |
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name. |
Affected by 50 other vulnerabilities. |
|
VCID-u15a-4ste-43cy
Aliases: BIT-django-2025-64459 CVE-2025-64459 GHSA-frmv-pr5f-9mcr PYSEC-2025-108 |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-v8hg-78p1-87bh
Aliases: CVE-2019-14234 GHSA-6r97-cj55-9hrq PYSEC-2019-13 |
multiple issues |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-vm2w-caad-nyd3
Aliases: BIT-django-2024-41989 CVE-2024-41989 GHSA-jh75-99hh-qvx9 PYSEC-2024-67 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-vpgq-jhzc-j7h2
Aliases: BIT-django-2025-59681 CVE-2025-59681 GHSA-hpr9-3m2g-3j9p PYSEC-2025-106 |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-vpja-nq3w-tka6
Aliases: CVE-2014-0473 GHSA-89hj-xfx5-7q66 PYSEC-2014-2 |
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users. |
Affected by 50 other vulnerabilities. |
|
VCID-wj2g-v6dz-2yeq
Aliases: CVE-2019-6975 GHSA-wh4h-v3f2-r2pp PYSEC-2019-18 |
denial of service |
Affected by 30 other vulnerabilities. |
|
VCID-wsx7-6bfa-pugr
Aliases: CVE-2019-3498 GHSA-337x-4q8g-prc5 PYSEC-2019-17 |
content spoofing |
Affected by 30 other vulnerabilities. |
|
VCID-x129-emvy-mqfy
Aliases: CVE-2014-0483 GHSA-rw75-m7gp-92m3 PYSEC-2014-7 |
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. |
Affected by 50 other vulnerabilities. |
|
VCID-x2hp-rmcn-gbah
Aliases: CVE-2019-14232 GHSA-c4qh-4vgv-qc6g PYSEC-2019-11 |
multiple issues |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-x4s4-qav9-xbet
Aliases: BIT-django-2024-24680 CVE-2024-24680 GHSA-xxj9-f6rv-m3x4 PYSEC-2024-28 |
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-xmq2-18at-y3gj
Aliases: CVE-2025-59682 GHSA-q95w-c7qg-hrff |
Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-xpsj-hx41-nub8
Aliases: CVE-2014-0474 GHSA-wqjj-hx84-v449 PYSEC-2014-3 |
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." |
Affected by 50 other vulnerabilities. |
|
VCID-xu9t-qtjz-bud8
Aliases: BIT-django-2020-13596 CVE-2020-13596 GHSA-2m34-jcjv-45xf PYSEC-2020-32 |
multiple issues |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-y2nn-vgsc-f3er
Aliases: CVE-2015-0219 GHSA-7qfw-j7hp-v45g PYSEC-2015-4 |
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. |
Affected by 50 other vulnerabilities. |
|
VCID-yb2r-r8gy-3yhe
Aliases: CVE-2017-7234 GHSA-h4hv-m4h4-mhwg PYSEC-2017-10 |
multiple issues |
Affected by 38 other vulnerabilities. |
|
VCID-ypwa-2rh9-gyex
Aliases: CVE-2019-12781 GHSA-6c7v-2f49-8h26 PYSEC-2019-10 |
silent downgrade |
Affected by 30 other vulnerabilities. |
|
VCID-zuca-q98m-w7bk
Aliases: CVE-2016-7401 GHSA-crhm-qpjc-cm64 PYSEC-2016-3 |
cross-site request forgery |
Affected by 38 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||