Search for packages
| purl | pkg:deb/debian/python-django@3:3.2.19-1%2Bdeb12u1 |
| Next non-vulnerable version | 3:3.2.25-0+deb12u2 |
| Latest non-vulnerable version | 3:4.2.30-1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1adz-zw3h-pqek
Aliases: CVE-2026-3902 GHSA-mvfq-ggxm-9mc5 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-46pv-pzsu-jucd
Aliases: CVE-2026-4292 GHSA-mmwr-2jhp-mc7j |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-ac4c-321h-tqfk
Aliases: CVE-2026-25674 GHSA-mjgh-79qc-68w3 |
Django has a Race Condition vulnerability An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ff2a-at5f-2qa8
Aliases: CVE-2026-33033 GHSA-5mf9-h53q-7mhq |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-gfym-spzk-w7gk
Aliases: CVE-2026-4277 GHSA-pwjp-ccjc-ghwg |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-jzae-1awh-k7cm
Aliases: BIT-django-2024-38875 CVE-2024-38875 GHSA-qg2p-9jwr-mmqf PYSEC-2024-56 |
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. |
Affected by 0 other vulnerabilities. |
|
VCID-mga4-an1w-qqf9
Aliases: BIT-django-2024-45230 CVE-2024-45230 GHSA-5hgc-2vfp-mqvc PYSEC-2024-102 |
Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. |
Affected by 0 other vulnerabilities. |
|
VCID-ssut-reka-r3f8
Aliases: CVE-2026-33034 GHSA-933h-hp56-hf7m |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-xhpa-mffz-syfy
Aliases: BIT-django-2024-41990 CVE-2024-41990 GHSA-795c-9xpc-xw6g PYSEC-2024-68 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-28g3-ubx6-ebff | Django has Inefficient Algorithmic Complexity An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
CVE-2026-1285
GHSA-4rrr-2h4v-f3j9 |
| VCID-2tfv-rtq7-2fg9 | Django has Observable Timing Discrepancy An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. |
CVE-2025-13473
GHSA-2mcm-79hx-8fxw |
| VCID-4ztz-fq98-5fh1 | In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. |
BIT-django-2023-41164
CVE-2023-41164 GHSA-7h4p-27mh-hmrw PYSEC-2023-225 |
| VCID-7tph-k8q2-bue2 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. |
BIT-django-2024-41991
CVE-2024-41991 GHSA-r836-hh6v-rg5g PYSEC-2024-69 |
| VCID-896g-hqec-ryb9 | An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. |
BIT-django-2025-48432
CVE-2025-48432 GHSA-7xr5-9hcq-chf9 PYSEC-2025-47 |
| VCID-8m4b-y4va-kqgm | In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
BIT-django-2023-43665
CVE-2023-43665 GHSA-h8gc-pgj2-vjm3 PYSEC-2023-226 |
| VCID-8qu1-45n9-gyb1 | Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. |
CVE-2026-1287
GHSA-gvg8-93h5-g6qq |
| VCID-8xgs-8xjr-cber | An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. |
BIT-django-2024-24680
CVE-2024-24680 GHSA-xxj9-f6rv-m3x4 PYSEC-2024-28 |
| VCID-9abh-apwm-ebab | An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags(). |
BIT-django-2025-32873
CVE-2025-32873 GHSA-8j24-cjrq-gr2m PYSEC-2025-37 |
| VCID-9uzd-mmyv-mfh4 | Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. |
CVE-2025-64459
GHSA-frmv-pr5f-9mcr |
| VCID-c6xy-v4sf-u3hn | Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. |
CVE-2025-59682
GHSA-q95w-c7qg-hrff |
| VCID-e2jd-yd4j-kqgt | Django allows enumeration of user e-mail addresses An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
CVE-2024-45231
GHSA-rrqc-c2jx-6jgv |
| VCID-e87q-1j8h-93hh | An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.) |
BIT-django-2024-56374
CVE-2024-56374 GHSA-qcgg-j2x8-h9g8 PYSEC-2025-1 |
| VCID-jh1e-72hp-fuf4 | In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. |
BIT-django-2024-27351
CVE-2024-27351 GHSA-vm8q-m57g-pff3 PYSEC-2024-47 |
| VCID-m91a-6235-nye9 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. |
BIT-django-2024-42005
CVE-2024-42005 GHSA-pv4p-cwwg-4rph PYSEC-2024-70 |
| VCID-msge-1mfu-7qfa | Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. |
CVE-2026-1312
GHSA-6426-9fv3-65x8 |
| VCID-mux4-uv98-hbbw | Django vulnerable to SQL injection in column aliases An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). |
CVE-2025-59681
GHSA-hpr9-3m2g-3j9p |
| VCID-q12d-kv8p-8ff7 | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. |
BIT-django-2024-39329
CVE-2024-39329 GHSA-x7q2-wr7g-xqmf PYSEC-2024-57 |
| VCID-u3zk-tff2-aua9 | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. |
BIT-django-2024-39614
CVE-2024-39614 GHSA-f6f8-9mx6-9mx2 PYSEC-2024-59 |
| VCID-ukkt-wgau-t3et | Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
CVE-2025-64460
GHSA-vrcr-9hj9-jcg6 |
| VCID-v1xr-z4zu-yfb4 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. |
BIT-django-2024-41989
CVE-2024-41989 GHSA-jh75-99hh-qvx9 PYSEC-2024-67 |
| VCID-w4pr-k5nj-ckgy | Django is subject to SQL injection through its column aliases An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
CVE-2025-57833
GHSA-6w2r-r2m5-xq5w |
| VCID-wwa5-mhgu-9khz | Django denial-of-service in django.utils.html.strip_tags() An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. |
CVE-2024-53907
GHSA-8498-2h75-472j |
| VCID-xgv1-s2ek-q3dp | An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. |
BIT-django-2025-26699
CVE-2025-26699 GHSA-p3fp-8748-vqfq PYSEC-2025-13 |
| VCID-ysyp-h7ja-yff3 | Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. |
CVE-2026-1207
GHSA-mwm9-4648-f68q |
| VCID-z27q-zfpz-ckby | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) |
BIT-django-2024-39330
CVE-2024-39330 GHSA-9jmf-237g-qf46 PYSEC-2024-58 |