Search for packages
| purl | pkg:pypi/django@4.2.11 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-28g3-ubx6-ebff
Aliases: CVE-2026-1285 GHSA-4rrr-2h4v-f3j9 |
Django has Inefficient Algorithmic Complexity An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-2tfv-rtq7-2fg9
Aliases: CVE-2025-13473 GHSA-2mcm-79hx-8fxw |
Django has Observable Timing Discrepancy An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. |
Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-3sac-ah8j-pucd
Aliases: BIT-django-2024-53908 CVE-2024-53908 GHSA-m9g8-fxxm-xg86 PYSEC-2024-157 |
Django SQL injection in HasKey(lhs, rhs) on Oracle An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.) |
Affected by 19 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-7tph-k8q2-bue2
Aliases: BIT-django-2024-41991 CVE-2024-41991 GHSA-r836-hh6v-rg5g PYSEC-2024-69 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. |
Affected by 24 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-84mm-45p6-xkau
Aliases: CVE-2025-64458 GHSA-qw25-v68c-qjf3 |
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 10 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-896g-hqec-ryb9
Aliases: BIT-django-2025-48432 CVE-2025-48432 GHSA-7xr5-9hcq-chf9 PYSEC-2025-47 |
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. |
Affected by 15 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-8qu1-45n9-gyb1
Aliases: CVE-2026-1287 GHSA-gvg8-93h5-g6qq |
Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. |
Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-9abh-apwm-ebab
Aliases: BIT-django-2025-32873 CVE-2025-32873 GHSA-8j24-cjrq-gr2m PYSEC-2025-37 |
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags(). |
Affected by 16 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-9uzd-mmyv-mfh4
Aliases: CVE-2025-64459 GHSA-frmv-pr5f-9mcr |
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. |
Affected by 10 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-ac4c-321h-tqfk
Aliases: CVE-2026-25674 GHSA-mjgh-79qc-68w3 |
Django has a Race Condition vulnerability An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-c6xy-v4sf-u3hn
Aliases: CVE-2025-59682 GHSA-q95w-c7qg-hrff |
Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. |
Affected by 12 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-e2jd-yd4j-kqgt
Aliases: CVE-2024-45231 GHSA-rrqc-c2jx-6jgv |
Django allows enumeration of user e-mail addresses An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
Affected by 22 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-e87q-1j8h-93hh
Aliases: BIT-django-2024-56374 CVE-2024-56374 GHSA-qcgg-j2x8-h9g8 PYSEC-2025-1 |
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.) |
Affected by 18 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-e9k9-1s9f-dbgv
Aliases: CVE-2025-14550 GHSA-33mw-q7rj-mjwj |
Django has Inefficient Algorithmic Complexity An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue. |
Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-jzae-1awh-k7cm
Aliases: BIT-django-2024-38875 CVE-2024-38875 GHSA-qg2p-9jwr-mmqf PYSEC-2024-56 |
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. |
Affected by 28 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-m91a-6235-nye9
Aliases: BIT-django-2024-42005 CVE-2024-42005 GHSA-pv4p-cwwg-4rph PYSEC-2024-70 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. |
Affected by 24 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-mga4-an1w-qqf9
Aliases: BIT-django-2024-45230 CVE-2024-45230 GHSA-5hgc-2vfp-mqvc PYSEC-2024-102 |
Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. |
Affected by 22 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-msge-1mfu-7qfa
Aliases: CVE-2026-1312 GHSA-6426-9fv3-65x8 |
Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. |
Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-mux4-uv98-hbbw
Aliases: CVE-2025-59681 GHSA-hpr9-3m2g-3j9p |
Django vulnerable to SQL injection in column aliases An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). |
Affected by 12 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-nda7-9219-6kce
Aliases: CVE-2026-25673 GHSA-8p8v-wh79-9r56 |
Django vulnerable to Uncontrolled Resource Consumption An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q12d-kv8p-8ff7
Aliases: BIT-django-2024-39329 CVE-2024-39329 GHSA-x7q2-wr7g-xqmf PYSEC-2024-57 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. |
Affected by 28 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-rmdp-bnjj-zuf2
Aliases: PYSEC-2024-156 |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. |
Affected by 19 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-u3zk-tff2-aua9
Aliases: BIT-django-2024-39614 CVE-2024-39614 GHSA-f6f8-9mx6-9mx2 PYSEC-2024-59 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. |
Affected by 28 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-ukkt-wgau-t3et
Aliases: CVE-2025-64460 GHSA-vrcr-9hj9-jcg6 |
Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 8 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-v1xr-z4zu-yfb4
Aliases: BIT-django-2024-41989 CVE-2024-41989 GHSA-jh75-99hh-qvx9 PYSEC-2024-67 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. |
Affected by 24 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-vwt9-q3dt-vbfg
Aliases: CVE-2025-13372 GHSA-rqw2-ghq9-44m7 |
Django is vulnerable to SQL injection in column aliases An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. |
Affected by 8 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-w4pr-k5nj-ckgy
Aliases: CVE-2025-57833 GHSA-6w2r-r2m5-xq5w |
Django is subject to SQL injection through its column aliases An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). |
Affected by 14 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-wwa5-mhgu-9khz
Aliases: CVE-2024-53907 GHSA-8498-2h75-472j |
Django denial-of-service in django.utils.html.strip_tags() An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. |
Affected by 19 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-xgv1-s2ek-q3dp
Aliases: BIT-django-2025-26699 CVE-2025-26699 GHSA-p3fp-8748-vqfq PYSEC-2025-13 |
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. |
Affected by 17 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-xhpa-mffz-syfy
Aliases: BIT-django-2024-41990 CVE-2024-41990 GHSA-795c-9xpc-xw6g PYSEC-2024-68 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. |
Affected by 24 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-ysyp-h7ja-yff3
Aliases: CVE-2026-1207 GHSA-mwm9-4648-f68q |
Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. |
Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-z27q-zfpz-ckby
Aliases: BIT-django-2024-39330 CVE-2024-39330 GHSA-9jmf-237g-qf46 PYSEC-2024-58 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) |
Affected by 28 other vulnerabilities. Affected by 16 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-jh1e-72hp-fuf4 | In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. |
BIT-django-2024-27351
CVE-2024-27351 GHSA-vm8q-m57g-pff3 PYSEC-2024-47 |