VulnerableCode Package Details - pkg:pypi/django@4.2.28

Search for packages

Vulnerability	Summary	Fixed by
VCID-ac4c-321h-tqfk Aliases: CVE-2026-25674 GHSA-mjgh-79qc-68w3	Django has a Race Condition vulnerability An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.	4.2.29 Affected by 0 other vulnerabilities. 5.0a1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.12 Affected by 0 other vulnerabilities. 6.0a1 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.3 Affected by 0 other vulnerabilities.
VCID-nda7-9219-6kce Aliases: CVE-2026-25673 GHSA-8p8v-wh79-9r56	Django vulnerable to Uncontrolled Resource Consumption An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.	4.2.29 Affected by 0 other vulnerabilities. 5.0a1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.12 Affected by 0 other vulnerabilities. 6.0a1 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ac4c-321h-tqfk
Aliases:
CVE-2026-25674
GHSA-mjgh-79qc-68w3

Django has a Race Condition vulnerability An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

4.2.29
Affected by 0 other vulnerabilities.

5.0a1
Affected by 4 other vulnerabilities.

5.2.12
Affected by 0 other vulnerabilities.

6.0a1
Affected by 6 other vulnerabilities.

6.0.3
Affected by 0 other vulnerabilities.

VCID-nda7-9219-6kce
Aliases:
CVE-2026-25673
GHSA-8p8v-wh79-9r56

Django vulnerable to Uncontrolled Resource Consumption An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

4.2.29
Affected by 0 other vulnerabilities.

5.0a1
Affected by 4 other vulnerabilities.

5.2.12
Affected by 0 other vulnerabilities.

6.0a1
Affected by 6 other vulnerabilities.

6.0.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-28g3-ubx6-ebff	Django has Inefficient Algorithmic Complexity An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.	CVE-2026-1285 GHSA-4rrr-2h4v-f3j9
VCID-2tfv-rtq7-2fg9	Django has Observable Timing Discrepancy An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.	CVE-2025-13473 GHSA-2mcm-79hx-8fxw
VCID-8qu1-45n9-gyb1	Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.	CVE-2026-1287 GHSA-gvg8-93h5-g6qq
VCID-e9k9-1s9f-dbgv	Django has Inefficient Algorithmic Complexity An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.	CVE-2025-14550 GHSA-33mw-q7rj-mjwj
VCID-msge-1mfu-7qfa	Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.	CVE-2026-1312 GHSA-6426-9fv3-65x8
VCID-ysyp-h7ja-yff3	Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.	CVE-2026-1207 GHSA-mwm9-4648-f68q

Vulnerability

Summary

Aliases

VCID-28g3-ubx6-ebff

Django has Inefficient Algorithmic Complexity An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

CVE-2026-1285
GHSA-4rrr-2h4v-f3j9

VCID-2tfv-rtq7-2fg9

Django has Observable Timing Discrepancy An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

CVE-2025-13473
GHSA-2mcm-79hx-8fxw

VCID-8qu1-45n9-gyb1

Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

CVE-2026-1287
GHSA-gvg8-93h5-g6qq

VCID-e9k9-1s9f-dbgv

Django has Inefficient Algorithmic Complexity An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

CVE-2025-14550
GHSA-33mw-q7rj-mjwj

VCID-msge-1mfu-7qfa

Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

CVE-2026-1312
GHSA-6426-9fv3-65x8

VCID-ysyp-h7ja-yff3

Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

CVE-2026-1207
GHSA-mwm9-4648-f68q

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T01:54:36.894761+00:00	GitLab Importer	Affected by	VCID-nda7-9219-6kce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-25673.yml	38.3.0
2026-04-12T01:54:35.412086+00:00	GitLab Importer	Affected by	VCID-ac4c-321h-tqfk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-25674.yml	38.3.0
2026-04-05T04:22:08.024929+00:00	GitLab Importer	Affected by	VCID-nda7-9219-6kce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-25673.yml	38.1.0
2026-04-05T04:22:06.669687+00:00	GitLab Importer	Affected by	VCID-ac4c-321h-tqfk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-25674.yml	38.1.0
2026-04-01T16:07:54.442349+00:00	GHSA Importer	Fixing	VCID-8qu1-45n9-gyb1	https://github.com/advisories/GHSA-gvg8-93h5-g6qq	38.0.0
2026-04-01T16:07:54.423776+00:00	GHSA Importer	Fixing	VCID-msge-1mfu-7qfa	https://github.com/advisories/GHSA-6426-9fv3-65x8	38.0.0
2026-04-01T16:07:54.354496+00:00	GHSA Importer	Fixing	VCID-28g3-ubx6-ebff	https://github.com/advisories/GHSA-4rrr-2h4v-f3j9	38.0.0
2026-04-01T16:07:54.309626+00:00	GHSA Importer	Fixing	VCID-ysyp-h7ja-yff3	https://github.com/advisories/GHSA-mwm9-4648-f68q	38.0.0
2026-04-01T16:07:54.241980+00:00	GHSA Importer	Fixing	VCID-e9k9-1s9f-dbgv	https://github.com/advisories/GHSA-33mw-q7rj-mjwj	38.0.0
2026-04-01T16:07:54.170694+00:00	GHSA Importer	Fixing	VCID-2tfv-rtq7-2fg9	https://github.com/advisories/GHSA-2mcm-79hx-8fxw	38.0.0
2026-04-01T12:53:48.079370+00:00	GitLab Importer	Fixing	VCID-2tfv-rtq7-2fg9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-13473.yml	38.0.0
2026-04-01T12:53:47.994577+00:00	GitLab Importer	Fixing	VCID-8qu1-45n9-gyb1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-1287.yml	38.0.0
2026-04-01T12:53:47.921230+00:00	GitLab Importer	Fixing	VCID-e9k9-1s9f-dbgv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-14550.yml	38.0.0
2026-04-01T12:53:47.795133+00:00	GitLab Importer	Fixing	VCID-ysyp-h7ja-yff3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-1207.yml	38.0.0
2026-04-01T12:53:46.966326+00:00	GitLab Importer	Fixing	VCID-msge-1mfu-7qfa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-1312.yml	38.0.0
2026-04-01T12:53:46.903219+00:00	GitLab Importer	Fixing	VCID-28g3-ubx6-ebff	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-1285.yml	38.0.0
2026-04-01T12:53:09.411707+00:00	GithubOSV Importer	Fixing	VCID-msge-1mfu-7qfa	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-6426-9fv3-65x8/GHSA-6426-9fv3-65x8.json	38.0.0
2026-04-01T12:53:08.643923+00:00	GithubOSV Importer	Fixing	VCID-e9k9-1s9f-dbgv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-33mw-q7rj-mjwj/GHSA-33mw-q7rj-mjwj.json	38.0.0
2026-04-01T12:52:54.496293+00:00	GithubOSV Importer	Fixing	VCID-28g3-ubx6-ebff	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4rrr-2h4v-f3j9/GHSA-4rrr-2h4v-f3j9.json	38.0.0
2026-04-01T12:52:52.220882+00:00	GithubOSV Importer	Fixing	VCID-2tfv-rtq7-2fg9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2mcm-79hx-8fxw/GHSA-2mcm-79hx-8fxw.json	38.0.0
2026-04-01T12:52:38.230729+00:00	GithubOSV Importer	Fixing	VCID-ysyp-h7ja-yff3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-mwm9-4648-f68q/GHSA-mwm9-4648-f68q.json	38.0.0
2026-04-01T12:52:35.202109+00:00	GithubOSV Importer	Fixing	VCID-8qu1-45n9-gyb1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gvg8-93h5-g6qq/GHSA-gvg8-93h5-g6qq.json	38.0.0