Search for packages
| purl | pkg:deb/debian/python-django@3:3.2.25-0%2Bdeb12u1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2zb9-27sm-3kgh | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. |
CVE-2019-14232
GHSA-c4qh-4vgv-qc6g PYSEC-2019-11 |
| VCID-4ztz-fq98-5fh1 | In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. |
BIT-django-2023-41164
CVE-2023-41164 GHSA-7h4p-27mh-hmrw PYSEC-2023-225 |
| VCID-7tph-k8q2-bue2 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. |
BIT-django-2024-41991
CVE-2024-41991 GHSA-r836-hh6v-rg5g PYSEC-2024-69 |
| VCID-896g-hqec-ryb9 | An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. |
BIT-django-2025-48432
CVE-2025-48432 GHSA-7xr5-9hcq-chf9 PYSEC-2025-47 |
| VCID-8m4b-y4va-kqgm | In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
BIT-django-2023-43665
CVE-2023-43665 GHSA-h8gc-pgj2-vjm3 PYSEC-2023-226 |
| VCID-8xgs-8xjr-cber | An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. |
BIT-django-2024-24680
CVE-2024-24680 GHSA-xxj9-f6rv-m3x4 PYSEC-2024-28 |
| VCID-9abh-apwm-ebab | An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags(). |
BIT-django-2025-32873
CVE-2025-32873 GHSA-8j24-cjrq-gr2m PYSEC-2025-37 |
| VCID-9uzd-mmyv-mfh4 | Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. |
CVE-2025-64459
GHSA-frmv-pr5f-9mcr |
| VCID-c6xy-v4sf-u3hn | Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. |
CVE-2025-59682
GHSA-q95w-c7qg-hrff |
| VCID-e2jd-yd4j-kqgt | Django allows enumeration of user e-mail addresses An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
CVE-2024-45231
GHSA-rrqc-c2jx-6jgv |
| VCID-e87q-1j8h-93hh | An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.) |
BIT-django-2024-56374
CVE-2024-56374 GHSA-qcgg-j2x8-h9g8 PYSEC-2025-1 |
| VCID-jh1e-72hp-fuf4 | In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. |
BIT-django-2024-27351
CVE-2024-27351 GHSA-vm8q-m57g-pff3 PYSEC-2024-47 |
| VCID-m91a-6235-nye9 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. |
BIT-django-2024-42005
CVE-2024-42005 GHSA-pv4p-cwwg-4rph PYSEC-2024-70 |
| VCID-mux4-uv98-hbbw | Django vulnerable to SQL injection in column aliases An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). |
CVE-2025-59681
GHSA-hpr9-3m2g-3j9p |
| VCID-q12d-kv8p-8ff7 | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. |
BIT-django-2024-39329
CVE-2024-39329 GHSA-x7q2-wr7g-xqmf PYSEC-2024-57 |
| VCID-u3zk-tff2-aua9 | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. |
BIT-django-2024-39614
CVE-2024-39614 GHSA-f6f8-9mx6-9mx2 PYSEC-2024-59 |
| VCID-ukkt-wgau-t3et | Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
CVE-2025-64460
GHSA-vrcr-9hj9-jcg6 |
| VCID-v1xr-z4zu-yfb4 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. |
BIT-django-2024-41989
CVE-2024-41989 GHSA-jh75-99hh-qvx9 PYSEC-2024-67 |
| VCID-vwt9-q3dt-vbfg | Django is vulnerable to SQL injection in column aliases An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. |
CVE-2025-13372
GHSA-rqw2-ghq9-44m7 |
| VCID-w4pr-k5nj-ckgy | Django is subject to SQL injection through its column aliases An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
CVE-2025-57833
GHSA-6w2r-r2m5-xq5w |
| VCID-wwa5-mhgu-9khz | Django denial-of-service in django.utils.html.strip_tags() An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. |
CVE-2024-53907
GHSA-8498-2h75-472j |
| VCID-xgv1-s2ek-q3dp | An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. |
BIT-django-2025-26699
CVE-2025-26699 GHSA-p3fp-8748-vqfq PYSEC-2025-13 |
| VCID-z27q-zfpz-ckby | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) |
BIT-django-2024-39330
CVE-2024-39330 GHSA-9jmf-237g-qf46 PYSEC-2024-58 |