Search for packages
| purl | pkg:pypi/django@3.2b1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-42x9-8c3c-bug1
Aliases: BIT-django-2023-31047 CVE-2023-31047 GHSA-r3xc-prgr-mg9p PYSEC-2023-61 |
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. |
Affected by 11 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-6gss-ppm5-3yc9
Aliases: BIT-django-2022-36359 CVE-2022-36359 GHSA-8x94-hmjh-97hq PYSEC-2022-245 |
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. |
Affected by 15 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-78r4-85ms-63hm
Aliases: BIT-django-2023-46695 CVE-2023-46695 GHSA-qmf9-6jqf-j8fq PYSEC-2023-222 |
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. |
Affected by 7 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 34 other vulnerabilities. |
|
VCID-84mm-45p6-xkau
Aliases: CVE-2025-64458 GHSA-qw25-v68c-qjf3 |
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 10 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-896g-hqec-ryb9
Aliases: BIT-django-2025-48432 CVE-2025-48432 GHSA-7xr5-9hcq-chf9 PYSEC-2025-47 |
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. |
Affected by 15 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-8m4b-y4va-kqgm
Aliases: BIT-django-2023-43665 CVE-2023-43665 GHSA-h8gc-pgj2-vjm3 PYSEC-2023-226 |
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-9uzd-mmyv-mfh4
Aliases: CVE-2025-64459 GHSA-frmv-pr5f-9mcr |
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. |
Affected by 10 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-c8s7-3g9m-d3cw
Aliases: BIT-django-2021-33571 CVE-2021-33571 GHSA-p99v-5w3c-jqq9 PYSEC-2021-99 |
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) . |
Affected by 26 other vulnerabilities. |
|
VCID-e2jd-yd4j-kqgt
Aliases: CVE-2024-45231 GHSA-rrqc-c2jx-6jgv |
Django allows enumeration of user e-mail addresses An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
Affected by 22 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-gan1-9gwu-63d2
Aliases: BIT-django-2021-35042 CVE-2021-35042 GHSA-xpfp-f569-q3p2 PYSEC-2021-109 |
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. |
Affected by 25 other vulnerabilities. |
|
VCID-mzdk-m12w-q3fc
Aliases: BIT-django-2021-44420 CVE-2021-44420 GHSA-v6rh-hp5x-86rv PYSEC-2021-439 |
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. |
Affected by 24 other vulnerabilities. |
|
VCID-nese-5485-hkbs
Aliases: BIT-django-2023-23969 CVE-2023-23969 GHSA-q2jf-h9jm-m7p4 PYSEC-2023-12 |
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. |
Affected by 13 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-t6uc-dfrd-jyfg
Aliases: BIT-django-2022-34265 CVE-2022-34265 GHSA-p64x-8rxx-wf6q PYSEC-2022-213 |
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. |
Affected by 16 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-w4pr-k5nj-ckgy
Aliases: CVE-2025-57833 GHSA-6w2r-r2m5-xq5w |
Django is subject to SQL injection through its column aliases An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
Affected by 14 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-wz1q-1tjp-4qhw
Aliases: BIT-django-2023-36053 CVE-2023-36053 GHSA-jh3w-4vvf-mjgr PYSEC-2023-100 |
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. |
Affected by 10 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-ypub-ukuh-p3aw
Aliases: BIT-django-2023-24580 CVE-2023-24580 GHSA-2hrw-hx67-34x6 PYSEC-2023-13 |
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. |
Affected by 12 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-z8z1-cjee-kfeg
Aliases: BIT-django-2021-45115 CVE-2021-45115 GHSA-53qw-q765-4fww PYSEC-2022-1 |
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. |
Affected by 21 other vulnerabilities. Affected by 16 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||