VulnerableCode Package Details - pkg:pypi/django@6.0.3

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ac4c-321h-tqfk	Django has a Race Condition vulnerability An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.	CVE-2026-25674 GHSA-mjgh-79qc-68w3
VCID-nda7-9219-6kce	Django vulnerable to Uncontrolled Resource Consumption An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.	CVE-2026-25673 GHSA-8p8v-wh79-9r56

Vulnerability

Summary

Aliases

VCID-ac4c-321h-tqfk

Django has a Race Condition vulnerability An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

CVE-2026-25674
GHSA-mjgh-79qc-68w3

VCID-nda7-9219-6kce

Django vulnerable to Uncontrolled Resource Consumption An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

CVE-2026-25673
GHSA-8p8v-wh79-9r56

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-06T06:40:20.406949+00:00	GitLab Importer	Fixing	VCID-nda7-9219-6kce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-25673.yml	38.1.0
2026-04-06T06:40:20.287662+00:00	GitLab Importer	Fixing	VCID-ac4c-321h-tqfk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2026-25674.yml	38.1.0
2026-04-01T16:08:18.916269+00:00	GHSA Importer	Fixing	VCID-nda7-9219-6kce	https://github.com/advisories/GHSA-8p8v-wh79-9r56	38.0.0
2026-04-01T16:08:18.867344+00:00	GHSA Importer	Fixing	VCID-ac4c-321h-tqfk	https://github.com/advisories/GHSA-mjgh-79qc-68w3	38.0.0
2026-04-01T12:53:59.346601+00:00	GithubOSV Importer	Fixing	VCID-ac4c-321h-tqfk	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mjgh-79qc-68w3/GHSA-mjgh-79qc-68w3.json	38.0.0
2026-04-01T12:53:40.463637+00:00	GithubOSV Importer	Fixing	VCID-nda7-9219-6kce	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8p8v-wh79-9r56/GHSA-8p8v-wh79-9r56.json	38.0.0