Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ttm3-5a6e-wfa1
Vulnerability ID VCID-ttm3-5a6e-wfa1
Aliases CVE-2011-4139
GHSA-rm2j-x595-q9cj
PYSEC-2011-4
Summary Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-20 Improper Input Validation
CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 7.5 http://openwall.com/lists/oss-security/2011/09/11/1
cvssv4 8.7 http://openwall.com/lists/oss-security/2011/09/11/1
generic_textual HIGH http://openwall.com/lists/oss-security/2011/09/11/1
cvssv3.1 7.5 http://openwall.com/lists/oss-security/2011/09/13/2
cvssv4 8.7 http://openwall.com/lists/oss-security/2011/09/13/2
generic_textual HIGH http://openwall.com/lists/oss-security/2011/09/13/2
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
epss 0.00635 https://api.first.org/data/v1/epss?cve=CVE-2011-4139
cvssv3.1 7.5 https://bugzilla.redhat.com/show_bug.cgi?id=737366
cvssv4 8.7 https://bugzilla.redhat.com/show_bug.cgi?id=737366
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=737366
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-rm2j-x595-q9cj
cvssv3.1 7.5 https://github.com/django/django
cvssv4 8.7 https://github.com/django/django
generic_textual HIGH https://github.com/django/django
cvssv3.1 7.5 https://github.com/django/django/commit/2f7fadc38efa58ac0a8f93f936b82332a199f396
cvssv4 8.7 https://github.com/django/django/commit/2f7fadc38efa58ac0a8f93f936b82332a199f396
generic_textual HIGH https://github.com/django/django/commit/2f7fadc38efa58ac0a8f93f936b82332a199f396
cvssv3.1 7.5 https://github.com/django/django/commit/c613af4d6485586c79d692b70a9acac429f3ca9d
cvssv4 8.7 https://github.com/django/django/commit/c613af4d6485586c79d692b70a9acac429f3ca9d
generic_textual HIGH https://github.com/django/django/commit/c613af4d6485586c79d692b70a9acac429f3ca9d
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-4.yaml
cvssv4 8.7 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-4.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-4.yaml
cvssv3.1 7.5 https://hermes.opensuse.org/messages/14700881
cvssv4 8.7 https://hermes.opensuse.org/messages/14700881
generic_textual HIGH https://hermes.opensuse.org/messages/14700881
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2011-4139
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2011-4139
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2011-4139
cvssv3.1 7.5 https://www.djangoproject.com/weblog/2011/sep/09
cvssv4 8.7 https://www.djangoproject.com/weblog/2011/sep/09
generic_textual HIGH https://www.djangoproject.com/weblog/2011/sep/09
cvssv3.1 7.5 https://www.djangoproject.com/weblog/2011/sep/10/127
cvssv4 8.7 https://www.djangoproject.com/weblog/2011/sep/10/127
generic_textual HIGH https://www.djangoproject.com/weblog/2011/sep/10/127
cvssv3.1 7.5 http://www.debian.org/security/2011/dsa-2332
cvssv4 8.7 http://www.debian.org/security/2011/dsa-2332
generic_textual HIGH http://www.debian.org/security/2011/dsa-2332
Reference id Reference type URL
http://openwall.com/lists/oss-security/2011/09/11/1
http://openwall.com/lists/oss-security/2011/09/13/2
https://api.first.org/data/v1/epss?cve=CVE-2011-4139
https://bugzilla.redhat.com/show_bug.cgi?id=737366
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4139
http://secunia.com/advisories/46614
https://github.com/django/django
https://github.com/django/django/commit/2f7fadc38efa58ac0a8f93f936b82332a199f396
https://github.com/django/django/commit/c613af4d6485586c79d692b70a9acac429f3ca9d
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-4.yaml
https://hermes.opensuse.org/messages/14700881
https://www.djangoproject.com/weblog/2011/sep/09
https://www.djangoproject.com/weblog/2011/sep/09/
https://www.djangoproject.com/weblog/2011/sep/10/127
https://www.djangoproject.com/weblog/2011/sep/10/127/
http://www.debian.org/security/2011/dsa-2332
641405 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641405
CVE-2011-4139 https://nvd.nist.gov/vuln/detail/CVE-2011-4139
GHSA-rm2j-x595-q9cj https://github.com/advisories/GHSA-rm2j-x595-q9cj
USN-1297-1 https://usn.ubuntu.com/1297-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://openwall.com/lists/oss-security/2011/09/11/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at http://openwall.com/lists/oss-security/2011/09/11/1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://openwall.com/lists/oss-security/2011/09/13/2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at http://openwall.com/lists/oss-security/2011/09/13/2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=737366
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=737366
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/django/django/commit/2f7fadc38efa58ac0a8f93f936b82332a199f396
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/django/django/commit/2f7fadc38efa58ac0a8f93f936b82332a199f396
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/django/django/commit/c613af4d6485586c79d692b70a9acac429f3ca9d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/django/django/commit/c613af4d6485586c79d692b70a9acac429f3ca9d
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-4.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-4.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://hermes.opensuse.org/messages/14700881
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://hermes.opensuse.org/messages/14700881
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2011-4139
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2011-4139
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.djangoproject.com/weblog/2011/sep/09
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://www.djangoproject.com/weblog/2011/sep/09
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.djangoproject.com/weblog/2011/sep/10/127
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://www.djangoproject.com/weblog/2011/sep/10/127
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.debian.org/security/2011/dsa-2332
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at http://www.debian.org/security/2011/dsa-2332
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.70328
EPSS Score 0.00635
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:40:51.224175+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2011-4.yaml 38.0.0