Search for packages
| purl | pkg:pypi/django@2.0rc1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27wt-wmzc-1bc2
Aliases: CVE-2018-6188 GHSA-rf4j-j272-fj86 PYSEC-2018-4 |
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive. |
Affected by 17 other vulnerabilities. |
|
VCID-3s9f-prpy-hbcx
Aliases: CVE-2019-11358 GHSA-6c3j-c64m-qhgq |
Cross-site Scripting The jQuery library, which is included in rdoc, mishandles `jQuery.extend(true, {}, ...)` because of Object.prototype pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype.` |
Affected by 21 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-6gss-ppm5-3yc9
Aliases: BIT-django-2022-36359 CVE-2022-36359 GHSA-8x94-hmjh-97hq PYSEC-2022-245 |
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. |
Affected by 15 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-84mm-45p6-xkau
Aliases: CVE-2025-64458 GHSA-qw25-v68c-qjf3 |
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 10 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-896g-hqec-ryb9
Aliases: BIT-django-2025-48432 CVE-2025-48432 GHSA-7xr5-9hcq-chf9 PYSEC-2025-47 |
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. |
Affected by 15 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-9uzd-mmyv-mfh4
Aliases: CVE-2025-64459 GHSA-frmv-pr5f-9mcr |
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. |
Affected by 10 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-e2jd-yd4j-kqgt
Aliases: CVE-2024-45231 GHSA-rrqc-c2jx-6jgv |
Django allows enumeration of user e-mail addresses An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
Affected by 22 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-mv1p-yxvp-pbh6
Aliases: CVE-2018-7536 GHSA-r28v-mw67-m5p9 PYSEC-2018-5 |
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. |
Affected by 15 other vulnerabilities. |
|
VCID-qm34-ec8s-tfd7
Aliases: BIT-django-2021-33203 CVE-2021-33203 GHSA-68w8-qjq3-2gfm PYSEC-2021-98 |
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. |
Affected by 14 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-w4pr-k5nj-ckgy
Aliases: CVE-2025-57833 GHSA-6w2r-r2m5-xq5w |
Django is subject to SQL injection through its column aliases An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
Affected by 14 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-x664-bfna-6qdv
Aliases: CVE-2019-3498 GHSA-337x-4q8g-prc5 PYSEC-2019-17 |
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. |
Affected by 12 other vulnerabilities. Affected by 26 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||