VulnerableCode Package Details - pkg:deb/debian/python-django@2:2.2.28-1~deb11u10?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9uzd-mmyv-mfh4	Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.	CVE-2025-64459 GHSA-frmv-pr5f-9mcr
VCID-ukkt-wgau-t3et	Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.	CVE-2025-64460 GHSA-vrcr-9hj9-jcg6

Vulnerability

Summary

Aliases

VCID-9uzd-mmyv-mfh4

Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

CVE-2025-64459
GHSA-frmv-pr5f-9mcr

VCID-ukkt-wgau-t3et

Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

CVE-2025-64460
GHSA-vrcr-9hj9-jcg6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:35:38.254405+00:00	Debian Importer	Fixing	VCID-ukkt-wgau-t3et	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:05:16.148777+00:00	Debian Importer	Fixing	VCID-9uzd-mmyv-mfh4	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-12T18:15:37.048358+00:00	Debian Importer	Fixing	VCID-ukkt-wgau-t3et	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-12T18:15:36.963389+00:00	Debian Importer	Fixing	VCID-9uzd-mmyv-mfh4	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:46.104472+00:00	Debian Importer	Fixing	VCID-ukkt-wgau-t3et	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:46.029511+00:00	Debian Importer	Fixing	VCID-9uzd-mmyv-mfh4	https://security-tracker.debian.org/tracker/data/json	38.1.0