{"url":"http://public2.vulnerablecode.io/api/packages/45266?format=json","purl":"pkg:pypi/django@5.2.7","type":"pypi","namespace":"","name":"django","version":"5.2.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.2.14","latest_non_vulnerable_version":"6.0.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9603?format=json","vulnerability_id":"VCID-32d1-b8f2-hud5","summary":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33034.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33034.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33034","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10784","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33034"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:43:43Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:43:43Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33034","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33034"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:43:43Z/"}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927","reference_id":"1132927","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455927","reference_id":"2455927","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455927"},{"reference_url":"https://usn.ubuntu.com/8154-1/","reference_id":"USN-8154-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8154-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48115?format=json","purl":"pkg:pypi/django@5.2.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.13"},{"url":"http://public2.vulnerablecode.io/api/packages/48116?format=json","purl":"pkg:pypi/django@6.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.4"}],"aliases":["BIT-django-2026-33034","CVE-2026-33034","GHSA-933h-hp56-hf7m","PYSEC-2026-49"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"6.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-32d1-b8f2-hud5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9644?format=json","vulnerability_id":"VCID-3ccr-92q5-aqfk","summary":"An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nResponse headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35192","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.1294","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35192"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T17:04:02Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T17:04:02Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35192","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35192"},{"reference_url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T17:04:02Z/"}],"url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135755","reference_id":"1135755","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135755"},{"reference_url":"https://usn.ubuntu.com/8232-1/","reference_id":"USN-8232-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8232-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48912?format=json","purl":"pkg:pypi/django@5.2.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.14"},{"url":"http://public2.vulnerablecode.io/api/packages/48913?format=json","purl":"pkg:pypi/django@6.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.5"}],"aliases":["BIT-django-2026-35192","CVE-2026-35192","GHSA-7h2m-m8vj-598h","PYSEC-2026-50"],"risk_score":2.6,"exploitability":"0.5","weighted_severity":"5.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3ccr-92q5-aqfk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9487?format=json","vulnerability_id":"VCID-3d6k-rdsh-k7hm","summary":"An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\n`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13372.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13372.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-13372","reference_id":"","reference_type":"","scores":[{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00331","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-13372"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:43:29Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf"},{"reference_url":"https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0"},{"reference_url":"https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e"},{"reference_url":"https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355"},{"reference_url":"https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:43:29Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:43:29Z/"}],"url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788","reference_id":"1121788","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2418372","reference_id":"2418372","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2418372"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13372","reference_id":"CVE-2025-13372","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13372"},{"reference_url":"https://github.com/advisories/GHSA-rqw2-ghq9-44m7","reference_id":"GHSA-rqw2-ghq9-44m7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rqw2-ghq9-44m7"},{"reference_url":"https://usn.ubuntu.com/7903-1/","reference_id":"USN-7903-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7903-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45496?format=json","purl":"pkg:pypi/django@5.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-5fbx-3yfb-fudx"},{"vulnerability":"VCID-62jv-ab6d-sqdb"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92bp-6kte-tyfs"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cbsj-1qqg-1ba6"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-enen-3w2h-g3b8"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"},{"vulnerability":"VCID-jma1-9ags-xbfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9"}],"aliases":["BIT-django-2025-13372","CVE-2025-13372","GHSA-rqw2-ghq9-44m7","PYSEC-2025-104"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3d6k-rdsh-k7hm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9532?format=json","vulnerability_id":"VCID-5fbx-3yfb-fudx","summary":"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13473.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13473.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-13473","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11039","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-13473"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:19:11Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:19:11Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:19:11Z/"}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914","reference_id":"1126914","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436343","reference_id":"2436343","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436343"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13473","reference_id":"CVE-2025-13473","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13473"},{"reference_url":"https://github.com/advisories/GHSA-2mcm-79hx-8fxw","reference_id":"GHSA-2mcm-79hx-8fxw","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2mcm-79hx-8fxw"},{"reference_url":"https://usn.ubuntu.com/8009-1/","reference_id":"USN-8009-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8009-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46121?format=json","purl":"pkg:pypi/django@5.2.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11"},{"url":"http://public2.vulnerablecode.io/api/packages/46122?format=json","purl":"pkg:pypi/django@6.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2"}],"aliases":["BIT-django-2025-13473","CVE-2025-13473","GHSA-2mcm-79hx-8fxw","PYSEC-2026-42"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5fbx-3yfb-fudx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9536?format=json","vulnerability_id":"VCID-62jv-ab6d-sqdb","summary":"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1287.json","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1287.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1287","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01598","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1287"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:26:40Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:26:40Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:26:40Z/"}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914","reference_id":"1126914","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436339","reference_id":"2436339","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436339"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1287","reference_id":"CVE-2026-1287","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1287"},{"reference_url":"https://github.com/advisories/GHSA-gvg8-93h5-g6qq","reference_id":"GHSA-gvg8-93h5-g6qq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gvg8-93h5-g6qq"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:14835","reference_id":"RHSA-2026:14835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:14835"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2694","reference_id":"RHSA-2026:2694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3958","reference_id":"RHSA-2026:3958","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3958"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3959","reference_id":"RHSA-2026:3959","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3959"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3960","reference_id":"RHSA-2026:3960","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3960"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3962","reference_id":"RHSA-2026:3962","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3962"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6291","reference_id":"RHSA-2026:6291","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6291"},{"reference_url":"https://usn.ubuntu.com/8009-1/","reference_id":"USN-8009-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8009-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46121?format=json","purl":"pkg:pypi/django@5.2.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11"},{"url":"http://public2.vulnerablecode.io/api/packages/46122?format=json","purl":"pkg:pypi/django@6.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2"}],"aliases":["BIT-django-2026-1287","CVE-2026-1287","GHSA-gvg8-93h5-g6qq","PYSEC-2026-46"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-62jv-ab6d-sqdb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9602?format=json","vulnerability_id":"VCID-63c7-mkxw-ufav","summary":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33033.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33033.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33033","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15551","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33033"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:21:08Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:21:08Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33033","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33033"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:21:08Z/"}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927","reference_id":"1132927","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455962","reference_id":"2455962","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455962"},{"reference_url":"https://usn.ubuntu.com/8154-1/","reference_id":"USN-8154-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8154-1/"},{"reference_url":"https://usn.ubuntu.com/8154-2/","reference_id":"USN-8154-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8154-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48115?format=json","purl":"pkg:pypi/django@5.2.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.13"},{"url":"http://public2.vulnerablecode.io/api/packages/48116?format=json","purl":"pkg:pypi/django@6.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.4"}],"aliases":["BIT-django-2026-33033","CVE-2026-33033","GHSA-5mf9-h53q-7mhq","PYSEC-2026-48"],"risk_score":2.6,"exploitability":"0.5","weighted_severity":"5.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63c7-mkxw-ufav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9488?format=json","vulnerability_id":"VCID-7jbt-5zw2-vff2","summary":"An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64460.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64460.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64460","reference_id":"","reference_type":"","scores":[{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.20956","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64460"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T21:53:53Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b"},{"reference_url":"https://github.com/django/django/commit/1dbd07a608e495a0c229edaaf84d58d8976313b5","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/1dbd07a608e495a0c229edaaf84d58d8976313b5"},{"reference_url":"https://github.com/django/django/commit/4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0"},{"reference_url":"https://github.com/django/django/commit/99e7d22f55497278d0bcb2e15e72ef532e62a31d","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/99e7d22f55497278d0bcb2e15e72ef532e62a31d"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T21:53:53Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T21:53:53Z/"}],"url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788","reference_id":"1121788","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2418366","reference_id":"2418366","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2418366"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64460","reference_id":"CVE-2025-64460","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64460"},{"reference_url":"https://github.com/advisories/GHSA-vrcr-9hj9-jcg6","reference_id":"GHSA-vrcr-9hj9-jcg6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vrcr-9hj9-jcg6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:0414","reference_id":"RHSA-2026:0414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:0414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1249","reference_id":"RHSA-2026:1249","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1249"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1497","reference_id":"RHSA-2026:1497","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1497"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1506","reference_id":"RHSA-2026:1506","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1506"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1599","reference_id":"RHSA-2026:1599","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1599"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1609","reference_id":"RHSA-2026:1609","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1609"},{"reference_url":"https://usn.ubuntu.com/7903-1/","reference_id":"USN-7903-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7903-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45496?format=json","purl":"pkg:pypi/django@5.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-5fbx-3yfb-fudx"},{"vulnerability":"VCID-62jv-ab6d-sqdb"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92bp-6kte-tyfs"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cbsj-1qqg-1ba6"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-enen-3w2h-g3b8"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"},{"vulnerability":"VCID-jma1-9ags-xbfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9"}],"aliases":["BIT-django-2025-64460","CVE-2025-64460","GHSA-vrcr-9hj9-jcg6","PYSEC-2025-109"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7jbt-5zw2-vff2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9533?format=json","vulnerability_id":"VCID-92bp-6kte-tyfs","summary":"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Jiyong Yang for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14550.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14550.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-14550","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19503","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-14550"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:27:25Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:27:25Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:27:25Z/"}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914","reference_id":"1126914","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436341","reference_id":"2436341","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436341"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14550","reference_id":"CVE-2025-14550","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14550"},{"reference_url":"https://github.com/advisories/GHSA-33mw-q7rj-mjwj","reference_id":"GHSA-33mw-q7rj-mjwj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-33mw-q7rj-mjwj"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13508","reference_id":"RHSA-2026:13508","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13508"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:14835","reference_id":"RHSA-2026:14835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:14835"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2694","reference_id":"RHSA-2026:2694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3958","reference_id":"RHSA-2026:3958","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3958"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3959","reference_id":"RHSA-2026:3959","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3959"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6291","reference_id":"RHSA-2026:6291","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6291"},{"reference_url":"https://usn.ubuntu.com/8009-1/","reference_id":"USN-8009-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8009-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46121?format=json","purl":"pkg:pypi/django@5.2.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11"},{"url":"http://public2.vulnerablecode.io/api/packages/46122?format=json","purl":"pkg:pypi/django@6.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2"}],"aliases":["BIT-django-2025-14550","CVE-2025-14550","GHSA-33mw-q7rj-mjwj","PYSEC-2026-43"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-92bp-6kte-tyfs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9645?format=json","vulnerability_id":"VCID-92z2-3rbz-77h9","summary":"An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.\n \nAs a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kyle Agronick for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-5766","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16269","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-5766"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T17:03:20Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T17:03:20Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-5766","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-5766"},{"reference_url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T17:03:20Z/"}],"url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135755","reference_id":"1135755","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135755"},{"reference_url":"https://usn.ubuntu.com/8232-1/","reference_id":"USN-8232-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8232-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48912?format=json","purl":"pkg:pypi/django@5.2.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.14"},{"url":"http://public2.vulnerablecode.io/api/packages/48913?format=json","purl":"pkg:pypi/django@6.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.5"}],"aliases":["BIT-django-2026-5766","CVE-2026-5766","GHSA-w26r-rmm8-9c29","PYSEC-2026-54"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"5.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-92z2-3rbz-77h9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9475?format=json","vulnerability_id":"VCID-9udu-eqvn-mqbj","summary":"An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nNFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect`  were subject to a potential  denial-of-service attack via certain inputs with a very large number of Unicode characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64458.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64458.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64458","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07194","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64458"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/3790593781d26168e7306b5b2f8ea0309de16242","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/3790593781d26168e7306b5b2f8ea0309de16242"},{"reference_url":"https://github.com/django/django/commit/4f5d904b63751dea9ffc3b0e046404a7fa5881ac","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/4f5d904b63751dea9ffc3b0e046404a7fa5881ac"},{"reference_url":"https://github.com/django/django/commit/6e13348436fccf8f22982921d6a3a3e65c956a9f","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/6e13348436fccf8f22982921d6a3a3e65c956a9f"},{"reference_url":"https://github.com/django/django/commit/770eea38d7a0e9ba9455140b5a9a9e33618226a7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/770eea38d7a0e9ba9455140b5a9a9e33618226a7"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-05T16:20:23Z/"}],"url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2412649","reference_id":"2412649","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2412649"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64458","reference_id":"CVE-2025-64458","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64458"},{"reference_url":"https://github.com/advisories/GHSA-qw25-v68c-qjf3","reference_id":"GHSA-qw25-v68c-qjf3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qw25-v68c-qjf3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45326?format=json","purl":"pkg:pypi/django@5.2.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-3d6k-rdsh-k7hm"},{"vulnerability":"VCID-5fbx-3yfb-fudx"},{"vulnerability":"VCID-62jv-ab6d-sqdb"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-7jbt-5zw2-vff2"},{"vulnerability":"VCID-92bp-6kte-tyfs"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cbsj-1qqg-1ba6"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-enen-3w2h-g3b8"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"},{"vulnerability":"VCID-jma1-9ags-xbfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8"}],"aliases":["BIT-django-2025-64458","CVE-2025-64458","GHSA-qw25-v68c-qjf3","PYSEC-2025-107"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9udu-eqvn-mqbj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9535?format=json","vulnerability_id":"VCID-cbsj-1qqg-1ba6","summary":"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1285.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1285.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1285","reference_id":"","reference_type":"","scores":[{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.20962","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1285"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:22:30Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:22:30Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:22:30Z/"}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914","reference_id":"1126914","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436340","reference_id":"2436340","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436340"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1285","reference_id":"CVE-2026-1285","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1285"},{"reference_url":"https://github.com/advisories/GHSA-4rrr-2h4v-f3j9","reference_id":"GHSA-4rrr-2h4v-f3j9","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4rrr-2h4v-f3j9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:14835","reference_id":"RHSA-2026:14835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:14835"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2694","reference_id":"RHSA-2026:2694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3958","reference_id":"RHSA-2026:3958","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3958"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3959","reference_id":"RHSA-2026:3959","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3959"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6291","reference_id":"RHSA-2026:6291","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6291"},{"reference_url":"https://usn.ubuntu.com/8009-1/","reference_id":"USN-8009-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8009-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46121?format=json","purl":"pkg:pypi/django@5.2.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11"},{"url":"http://public2.vulnerablecode.io/api/packages/46122?format=json","purl":"pkg:pypi/django@6.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2"}],"aliases":["BIT-django-2026-1285","CVE-2026-1285","GHSA-4rrr-2h4v-f3j9","PYSEC-2026-45"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cbsj-1qqg-1ba6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9606?format=json","vulnerability_id":"VCID-cg44-thdw-cygg","summary":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\ninstances to be created via forged `POST` data.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4292.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4292.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-4292","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02704","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-4292"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:12:50Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:12:50Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4292","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4292"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T15:12:50Z/"}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927","reference_id":"1132927","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455941","reference_id":"2455941","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455941"},{"reference_url":"https://usn.ubuntu.com/8154-1/","reference_id":"USN-8154-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8154-1/"},{"reference_url":"https://usn.ubuntu.com/8154-2/","reference_id":"USN-8154-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8154-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48115?format=json","purl":"pkg:pypi/django@5.2.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.13"},{"url":"http://public2.vulnerablecode.io/api/packages/48116?format=json","purl":"pkg:pypi/django@6.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.4"}],"aliases":["BIT-django-2026-4292","CVE-2026-4292","GHSA-mmwr-2jhp-mc7j","PYSEC-2026-53"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cg44-thdw-cygg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9537?format=json","vulnerability_id":"VCID-enen-3w2h-g3b8","summary":"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1312.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1312.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1312","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01598","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1312"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:56:09Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/005d60d97c4dfb117503bdb6f2facfcaf9315d84","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/005d60d97c4dfb117503bdb6f2facfcaf9315d84"},{"reference_url":"https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf222","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf222"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:56:09Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:56:09Z/"}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914","reference_id":"1126914","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436342","reference_id":"2436342","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436342"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1312","reference_id":"CVE-2026-1312","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1312"},{"reference_url":"https://github.com/advisories/GHSA-6426-9fv3-65x8","reference_id":"GHSA-6426-9fv3-65x8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6426-9fv3-65x8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:14835","reference_id":"RHSA-2026:14835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:14835"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2694","reference_id":"RHSA-2026:2694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3958","reference_id":"RHSA-2026:3958","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3958"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3959","reference_id":"RHSA-2026:3959","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3959"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3960","reference_id":"RHSA-2026:3960","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3960"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3962","reference_id":"RHSA-2026:3962","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3962"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6291","reference_id":"RHSA-2026:6291","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6291"},{"reference_url":"https://usn.ubuntu.com/8009-1/","reference_id":"USN-8009-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8009-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46121?format=json","purl":"pkg:pypi/django@5.2.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11"},{"url":"http://public2.vulnerablecode.io/api/packages/46122?format=json","purl":"pkg:pypi/django@6.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2"}],"aliases":["BIT-django-2026-1312","CVE-2026-1312","GHSA-6426-9fv3-65x8","PYSEC-2026-47"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-enen-3w2h-g3b8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9646?format=json","vulnerability_id":"VCID-g22z-jue5-8udz","summary":"An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6907.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6907.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6907","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10204","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6907"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T17:03:42Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T17:03:42Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6907","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6907"},{"reference_url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T17:03:42Z/"}],"url":"https://www.djangoproject.com/weblog/2026/may/05/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135755","reference_id":"1135755","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135755"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466771","reference_id":"2466771","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466771"},{"reference_url":"https://usn.ubuntu.com/8232-1/","reference_id":"USN-8232-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8232-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48912?format=json","purl":"pkg:pypi/django@5.2.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.14"},{"url":"http://public2.vulnerablecode.io/api/packages/48913?format=json","purl":"pkg:pypi/django@6.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.5"}],"aliases":["BIT-django-2026-6907","CVE-2026-6907","GHSA-5hrc-gvxj-w55p","PYSEC-2026-55"],"risk_score":2.1,"exploitability":"0.5","weighted_severity":"4.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g22z-jue5-8udz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9605?format=json","vulnerability_id":"VCID-heum-8mwz-sbcw","summary":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdd permissions on inline model instances were not validated on submission of\nforged `POST` data in `GenericInlineModelAdmin`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank N05ec@LZU-DSLab for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4277.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4277.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-4277","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0645","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-4277"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4277","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4277"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927","reference_id":"1132927","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455939","reference_id":"2455939","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455939"},{"reference_url":"https://usn.ubuntu.com/8154-1/","reference_id":"USN-8154-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8154-1/"},{"reference_url":"https://usn.ubuntu.com/8154-2/","reference_id":"USN-8154-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8154-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48115?format=json","purl":"pkg:pypi/django@5.2.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.13"},{"url":"http://public2.vulnerablecode.io/api/packages/48116?format=json","purl":"pkg:pypi/django@6.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.4"}],"aliases":["BIT-django-2026-4277","CVE-2026-4277","GHSA-pwjp-ccjc-ghwg","PYSEC-2026-52"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-heum-8mwz-sbcw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9604?format=json","vulnerability_id":"VCID-j2uz-w2ur-7ud4","summary":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3902.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3902.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3902","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.04025","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3902"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:14:03Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:14:03Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3902","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3902"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:14:03Z/"}],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927","reference_id":"1132927","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455935","reference_id":"2455935","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455935"},{"reference_url":"https://usn.ubuntu.com/8154-1/","reference_id":"USN-8154-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8154-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48115?format=json","purl":"pkg:pypi/django@5.2.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.13"},{"url":"http://public2.vulnerablecode.io/api/packages/48116?format=json","purl":"pkg:pypi/django@6.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-g22z-jue5-8udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.4"}],"aliases":["BIT-django-2026-3902","CVE-2026-3902","GHSA-mvfq-ggxm-9mc5","PYSEC-2026-51"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"6.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j2uz-w2ur-7ud4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9534?format=json","vulnerability_id":"VCID-jma1-9ags-xbfm","summary":"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1207.json","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1207.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1207","reference_id":"","reference_type":"","scores":[{"value":"0.05295","scoring_system":"epss","scoring_elements":"0.90167","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1207"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:21:06Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:21:06Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:21:06Z/"}],"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914","reference_id":"1126914","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436338","reference_id":"2436338","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436338"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1207","reference_id":"CVE-2026-1207","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1207"},{"reference_url":"https://github.com/advisories/GHSA-mwm9-4648-f68q","reference_id":"GHSA-mwm9-4648-f68q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mwm9-4648-f68q"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:14835","reference_id":"RHSA-2026:14835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:14835"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2694","reference_id":"RHSA-2026:2694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3958","reference_id":"RHSA-2026:3958","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3958"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3959","reference_id":"RHSA-2026:3959","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3959"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3960","reference_id":"RHSA-2026:3960","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3960"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3962","reference_id":"RHSA-2026:3962","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3962"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6291","reference_id":"RHSA-2026:6291","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6291"},{"reference_url":"https://usn.ubuntu.com/8009-1/","reference_id":"USN-8009-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8009-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46121?format=json","purl":"pkg:pypi/django@5.2.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.11"},{"url":"http://public2.vulnerablecode.io/api/packages/46122?format=json","purl":"pkg:pypi/django@6.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@6.0.2"}],"aliases":["BIT-django-2026-1207","CVE-2026-1207","GHSA-mwm9-4648-f68q","PYSEC-2026-44"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jma1-9ags-xbfm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9476?format=json","vulnerability_id":"VCID-u15a-4ste-43cy","summary":"An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64459","reference_id":"","reference_type":"","scores":[{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.49195","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64459"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85"},{"reference_url":"https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4"},{"reference_url":"https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b"},{"reference_url":"https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241"},{"reference_url":"https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html"},{"reference_url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/"}],"url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120139","reference_id":"1120139","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120139"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2412651","reference_id":"2412651","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2412651"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52456.py","reference_id":"CVE-2025-64459","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52456.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64459","reference_id":"CVE-2025-64459","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64459"},{"reference_url":"https://github.com/advisories/GHSA-frmv-pr5f-9mcr","reference_id":"GHSA-frmv-pr5f-9mcr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-frmv-pr5f-9mcr"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23069","reference_id":"RHSA-2025:23069","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23069"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23070","reference_id":"RHSA-2025:23070","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23070"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23130","reference_id":"RHSA-2025:23130","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23130"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23131","reference_id":"RHSA-2025:23131","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23131"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23133","reference_id":"RHSA-2025:23133","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23133"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23196","reference_id":"RHSA-2025:23196","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23196"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1596","reference_id":"RHSA-2026:1596","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1596"},{"reference_url":"https://usn.ubuntu.com/7859-1/","reference_id":"USN-7859-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7859-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45326?format=json","purl":"pkg:pypi/django@5.2.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-3d6k-rdsh-k7hm"},{"vulnerability":"VCID-5fbx-3yfb-fudx"},{"vulnerability":"VCID-62jv-ab6d-sqdb"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-7jbt-5zw2-vff2"},{"vulnerability":"VCID-92bp-6kte-tyfs"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-cbsj-1qqg-1ba6"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-enen-3w2h-g3b8"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"},{"vulnerability":"VCID-jma1-9ags-xbfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.8"}],"aliases":["BIT-django-2025-64459","CVE-2025-64459","GHSA-frmv-pr5f-9mcr","PYSEC-2025-108"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u15a-4ste-43cy"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9464?format=json","vulnerability_id":"VCID-vpgq-jhzc-j7h2","summary":"An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59681.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59681.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59681","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02764","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59681"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-01T19:12:04Z/"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/41b43c74bda19753c757036673ea9db74acf494a","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/41b43c74bda19753c757036673ea9db74acf494a"},{"reference_url":"https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-01T19:12:04Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2025/oct/01/security-releases","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2025/oct/01/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2025/oct/01/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-01T19:12:04Z/"}],"url":"https://www.djangoproject.com/weblog/2025/oct/01/security-releases/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/10/01/3","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/10/01/3"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116979","reference_id":"1116979","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116979"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2400449","reference_id":"2400449","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2400449"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59681","reference_id":"CVE-2025-59681","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59681"},{"reference_url":"https://github.com/advisories/GHSA-hpr9-3m2g-3j9p","reference_id":"GHSA-hpr9-3m2g-3j9p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hpr9-3m2g-3j9p"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:18984","reference_id":"RHSA-2025:18984","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:18984"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23196","reference_id":"RHSA-2025:23196","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23196"},{"reference_url":"https://usn.ubuntu.com/7794-1/","reference_id":"USN-7794-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7794-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45264?format=json","purl":"pkg:pypi/django@4.2.25","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3d6k-rdsh-k7hm"},{"vulnerability":"VCID-5fbx-3yfb-fudx"},{"vulnerability":"VCID-62jv-ab6d-sqdb"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-7jbt-5zw2-vff2"},{"vulnerability":"VCID-92bp-6kte-tyfs"},{"vulnerability":"VCID-9udu-eqvn-mqbj"},{"vulnerability":"VCID-cbsj-1qqg-1ba6"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-enen-3w2h-g3b8"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"},{"vulnerability":"VCID-jma1-9ags-xbfm"},{"vulnerability":"VCID-u15a-4ste-43cy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.25"},{"url":"http://public2.vulnerablecode.io/api/packages/45265?format=json","purl":"pkg:pypi/django@5.1.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3d6k-rdsh-k7hm"},{"vulnerability":"VCID-7jbt-5zw2-vff2"},{"vulnerability":"VCID-9udu-eqvn-mqbj"},{"vulnerability":"VCID-u15a-4ste-43cy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.13"},{"url":"http://public2.vulnerablecode.io/api/packages/45266?format=json","purl":"pkg:pypi/django@5.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-3d6k-rdsh-k7hm"},{"vulnerability":"VCID-5fbx-3yfb-fudx"},{"vulnerability":"VCID-62jv-ab6d-sqdb"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-7jbt-5zw2-vff2"},{"vulnerability":"VCID-92bp-6kte-tyfs"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-9udu-eqvn-mqbj"},{"vulnerability":"VCID-cbsj-1qqg-1ba6"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-enen-3w2h-g3b8"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"},{"vulnerability":"VCID-jma1-9ags-xbfm"},{"vulnerability":"VCID-u15a-4ste-43cy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.7"}],"aliases":["BIT-django-2025-59681","CVE-2025-59681","GHSA-hpr9-3m2g-3j9p","PYSEC-2025-106"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vpgq-jhzc-j7h2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20336?format=json","vulnerability_id":"VCID-xmq2-18at-y3gj","summary":"Django vulnerable to partial directory traversal via archives\nAn issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the \"startapp --template\" and \"startproject --template\" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59682.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59682.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59682","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04871","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59682"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e"},{"reference_url":"https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-01T19:10:29Z/"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2025/oct/01/security-releases","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.djangoproject.com/weblog/2025/oct/01/security-releases"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/10/01/3","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/10/01/3"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116979","reference_id":"1116979","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116979"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2400450","reference_id":"2400450","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2400450"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59682","reference_id":"CVE-2025-59682","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59682"},{"reference_url":"https://github.com/advisories/GHSA-q95w-c7qg-hrff","reference_id":"GHSA-q95w-c7qg-hrff","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q95w-c7qg-hrff"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:18979","reference_id":"RHSA-2025:18979","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:18979"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:18984","reference_id":"RHSA-2025:18984","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:18984"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19201","reference_id":"RHSA-2025:19201","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19201"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19221","reference_id":"RHSA-2025:19221","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19221"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23196","reference_id":"RHSA-2025:23196","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23196"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:0414","reference_id":"RHSA-2026:0414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:0414"},{"reference_url":"https://usn.ubuntu.com/7794-1/","reference_id":"USN-7794-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7794-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45264?format=json","purl":"pkg:pypi/django@4.2.25","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3d6k-rdsh-k7hm"},{"vulnerability":"VCID-5fbx-3yfb-fudx"},{"vulnerability":"VCID-62jv-ab6d-sqdb"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-7jbt-5zw2-vff2"},{"vulnerability":"VCID-92bp-6kte-tyfs"},{"vulnerability":"VCID-9udu-eqvn-mqbj"},{"vulnerability":"VCID-cbsj-1qqg-1ba6"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-enen-3w2h-g3b8"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"},{"vulnerability":"VCID-jma1-9ags-xbfm"},{"vulnerability":"VCID-u15a-4ste-43cy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.25"},{"url":"http://public2.vulnerablecode.io/api/packages/45265?format=json","purl":"pkg:pypi/django@5.1.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3d6k-rdsh-k7hm"},{"vulnerability":"VCID-7jbt-5zw2-vff2"},{"vulnerability":"VCID-9udu-eqvn-mqbj"},{"vulnerability":"VCID-u15a-4ste-43cy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.13"},{"url":"http://public2.vulnerablecode.io/api/packages/45266?format=json","purl":"pkg:pypi/django@5.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-32d1-b8f2-hud5"},{"vulnerability":"VCID-3ccr-92q5-aqfk"},{"vulnerability":"VCID-3d6k-rdsh-k7hm"},{"vulnerability":"VCID-5fbx-3yfb-fudx"},{"vulnerability":"VCID-62jv-ab6d-sqdb"},{"vulnerability":"VCID-63c7-mkxw-ufav"},{"vulnerability":"VCID-7jbt-5zw2-vff2"},{"vulnerability":"VCID-92bp-6kte-tyfs"},{"vulnerability":"VCID-92z2-3rbz-77h9"},{"vulnerability":"VCID-9udu-eqvn-mqbj"},{"vulnerability":"VCID-cbsj-1qqg-1ba6"},{"vulnerability":"VCID-cg44-thdw-cygg"},{"vulnerability":"VCID-enen-3w2h-g3b8"},{"vulnerability":"VCID-g22z-jue5-8udz"},{"vulnerability":"VCID-heum-8mwz-sbcw"},{"vulnerability":"VCID-j2uz-w2ur-7ud4"},{"vulnerability":"VCID-jma1-9ags-xbfm"},{"vulnerability":"VCID-u15a-4ste-43cy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.7"}],"aliases":["CVE-2025-59682","GHSA-q95w-c7qg-hrff"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xmq2-18at-y3gj"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.7"}