Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qzba-9xmg-3qer
Vulnerability ID VCID-qzba-9xmg-3qer
Aliases CVE-2014-0472
GHSA-rvq6-mrpv-m6rm
PYSEC-2014-1
Summary The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 9.8 http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
cvssv4 9.3 http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
generic_textual CRITICAL http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
cvssv3.1 9.8 http://rhn.redhat.com/errata/RHSA-2014-0456.html
cvssv4 9.3 http://rhn.redhat.com/errata/RHSA-2014-0456.html
generic_textual CRITICAL http://rhn.redhat.com/errata/RHSA-2014-0456.html
cvssv3.1 9.8 http://rhn.redhat.com/errata/RHSA-2014-0457.html
cvssv4 9.3 http://rhn.redhat.com/errata/RHSA-2014-0457.html
generic_textual CRITICAL http://rhn.redhat.com/errata/RHSA-2014-0457.html
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
epss 0.06894 https://api.first.org/data/v1/epss?cve=CVE-2014-0472
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-rvq6-mrpv-m6rm
cvssv3.1 9.8 https://github.com/django/django
cvssv4 9.3 https://github.com/django/django
generic_textual CRITICAL https://github.com/django/django
cvssv3.1 9.8 https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1
cvssv4 9.3 https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1
generic_textual CRITICAL https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1
cvssv3.1 9.8 https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b
cvssv4 9.3 https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b
generic_textual CRITICAL https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b
cvssv3.1 9.8 https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535
cvssv4 9.3 https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535
generic_textual CRITICAL https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535
cvssv3.1 9.8 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-1.yaml
cvssv4 9.3 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-1.yaml
generic_textual CRITICAL https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-1.yaml
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2014-0472
cvssv4 9.3 https://nvd.nist.gov/vuln/detail/CVE-2014-0472
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2014-0472
cvssv3.1 9.8 https://www.djangoproject.com/weblog/2014/apr/21/security
cvssv4 9.3 https://www.djangoproject.com/weblog/2014/apr/21/security
generic_textual CRITICAL https://www.djangoproject.com/weblog/2014/apr/21/security
cvssv3.1 9.8 http://www.debian.org/security/2014/dsa-2934
cvssv4 9.3 http://www.debian.org/security/2014/dsa-2934
generic_textual CRITICAL http://www.debian.org/security/2014/dsa-2934
cvssv3.1 9.8 http://www.ubuntu.com/usn/USN-2169-1
cvssv4 9.3 http://www.ubuntu.com/usn/USN-2169-1
generic_textual CRITICAL http://www.ubuntu.com/usn/USN-2169-1
Reference id Reference type URL
http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
http://rhn.redhat.com/errata/RHSA-2014-0456.html
http://rhn.redhat.com/errata/RHSA-2014-0457.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0472.json
https://api.first.org/data/v1/epss?cve=CVE-2014-0472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3730
http://secunia.com/advisories/61281
https://github.com/django/django
https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1
https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b
https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-1.yaml
https://nvd.nist.gov/vuln/detail/CVE-2014-0472
https://www.djangoproject.com/weblog/2014/apr/21/security
https://www.djangoproject.com/weblog/2014/apr/21/security/
http://www.debian.org/security/2014/dsa-2934
http://www.ubuntu.com/usn/USN-2169-1
1090588 https://bugzilla.redhat.com/show_bug.cgi?id=1090588
GHSA-rvq6-mrpv-m6rm https://github.com/advisories/GHSA-rvq6-mrpv-m6rm
GLSA-201406-26 https://security.gentoo.org/glsa/201406-26
RHSA-2014:0456 https://access.redhat.com/errata/RHSA-2014:0456
RHSA-2014:0457 https://access.redhat.com/errata/RHSA-2014:0457
USN-2169-1 https://usn.ubuntu.com/2169-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://rhn.redhat.com/errata/RHSA-2014-0456.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at http://rhn.redhat.com/errata/RHSA-2014-0456.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://rhn.redhat.com/errata/RHSA-2014-0457.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at http://rhn.redhat.com/errata/RHSA-2014-0457.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-1.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-1.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2014-0472
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2014-0472
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.djangoproject.com/weblog/2014/apr/21/security
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://www.djangoproject.com/weblog/2014/apr/21/security
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.debian.org/security/2014/dsa-2934
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at http://www.debian.org/security/2014/dsa-2934
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.ubuntu.com/usn/USN-2169-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at http://www.ubuntu.com/usn/USN-2169-1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.91336
EPSS Score 0.06894
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:41:00.249719+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2014-1.yaml 38.0.0