VulnerableCode Package Details - pkg:deb/debian/python-django@2:2.2.28-1~deb11u9?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-c6xy-v4sf-u3hn	Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.	CVE-2025-59682 GHSA-q95w-c7qg-hrff
VCID-mux4-uv98-hbbw	Django vulnerable to SQL injection in column aliases An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).	CVE-2025-59681 GHSA-hpr9-3m2g-3j9p

Vulnerability

Summary

Aliases

VCID-c6xy-v4sf-u3hn

Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

CVE-2025-59682
GHSA-q95w-c7qg-hrff

VCID-mux4-uv98-hbbw

Django vulnerable to SQL injection in column aliases An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

CVE-2025-59681
GHSA-hpr9-3m2g-3j9p

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T09:01:08.549719+00:00	Debian Importer	Fixing	VCID-mux4-uv98-hbbw	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:55:41.044097+00:00	Debian Importer	Fixing	VCID-c6xy-v4sf-u3hn	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-11T18:02:50.483841+00:00	Debian Importer	Fixing	VCID-mux4-uv98-hbbw	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:59:29.442883+00:00	Debian Importer	Fixing	VCID-c6xy-v4sf-u3hn	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:45.911699+00:00	Debian Importer	Fixing	VCID-c6xy-v4sf-u3hn	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:45.837187+00:00	Debian Importer	Fixing	VCID-mux4-uv98-hbbw	https://security-tracker.debian.org/tracker/data/json	38.1.0