{"url":"http://public2.vulnerablecode.io/api/packages/46602?format=json","purl":"pkg:pypi/django@5.1.15","type":"pypi","namespace":"","name":"django","version":"5.1.15","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"5.2.14","latest_non_vulnerable_version":"6.0.5","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37152?format=json","vulnerability_id":"VCID-7c5n-nzwk-v7bz","summary":"An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\n`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.","references":[{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf"},{"reference_url":"https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0"},{"reference_url":"https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e"},{"reference_url":"https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355"},{"reference_url":"https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases","reference_id":"","reference_type":"","scores":[],"url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13372","reference_id":"CVE-2025-13372","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13372"},{"reference_url":"https://github.com/advisories/GHSA-rqw2-ghq9-44m7","reference_id":"GHSA-rqw2-ghq9-44m7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rqw2-ghq9-44m7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46601?format=json","purl":"pkg:pypi/django@4.2.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4kcg-gx5y-cuaw"},{"vulnerability":"VCID-ga7z-wj4j-63h1"},{"vulnerability":"VCID-jybd-p65h-xffy"},{"vulnerability":"VCID-kxdd-yzp3-r7cb"},{"vulnerability":"VCID-phkp-9abp-f3dq"},{"vulnerability":"VCID-r1vx-vv7d-gqaj"},{"vulnerability":"VCID-shch-yusm-1uck"},{"vulnerability":"VCID-shjc-2j68-2yfy"},{"vulnerability":"VCID-tktt-vg92-6kae"},{"vulnerability":"VCID-tuqc-c251-h7ds"},{"vulnerability":"VCID-wa3g-27sx-mbcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.27"},{"url":"http://public2.vulnerablecode.io/api/packages/46602?format=json","purl":"pkg:pypi/django@5.1.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.15"},{"url":"http://public2.vulnerablecode.io/api/packages/46603?format=json","purl":"pkg:pypi/django@5.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4kcg-gx5y-cuaw"},{"vulnerability":"VCID-abpe-htm1-9ubp"},{"vulnerability":"VCID-eqsc-axng-ckca"},{"vulnerability":"VCID-ga7z-wj4j-63h1"},{"vulnerability":"VCID-jybd-p65h-xffy"},{"vulnerability":"VCID-kxdd-yzp3-r7cb"},{"vulnerability":"VCID-m4am-h2ea-3ffr"},{"vulnerability":"VCID-phkp-9abp-f3dq"},{"vulnerability":"VCID-r1vx-vv7d-gqaj"},{"vulnerability":"VCID-shch-yusm-1uck"},{"vulnerability":"VCID-shjc-2j68-2yfy"},{"vulnerability":"VCID-tktt-vg92-6kae"},{"vulnerability":"VCID-tuqc-c251-h7ds"},{"vulnerability":"VCID-wa3g-27sx-mbcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9"}],"aliases":["CVE-2025-13372","GHSA-rqw2-ghq9-44m7","PYSEC-2025-104"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7c5n-nzwk-v7bz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37153?format=json","vulnerability_id":"VCID-fcg9-xypn-ykhf","summary":"An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.","references":[{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security","reference_id":"","reference_type":"","scores":[],"url":"https://docs.djangoproject.com/en/dev/releases/security"},{"reference_url":"https://docs.djangoproject.com/en/dev/releases/security/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"reference_url":"https://github.com/django/django","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django"},{"reference_url":"https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b"},{"reference_url":"https://github.com/django/django/commit/1dbd07a608e495a0c229edaaf84d58d8976313b5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/1dbd07a608e495a0c229edaaf84d58d8976313b5"},{"reference_url":"https://github.com/django/django/commit/4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0"},{"reference_url":"https://github.com/django/django/commit/99e7d22f55497278d0bcb2e15e72ef532e62a31d","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/99e7d22f55497278d0bcb2e15e72ef532e62a31d"},{"reference_url":"https://groups.google.com/g/django-announce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://groups.google.com/g/django-announce"},{"reference_url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases","reference_id":"","reference_type":"","scores":[],"url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases"},{"reference_url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64460","reference_id":"CVE-2025-64460","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64460"},{"reference_url":"https://github.com/advisories/GHSA-vrcr-9hj9-jcg6","reference_id":"GHSA-vrcr-9hj9-jcg6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vrcr-9hj9-jcg6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46601?format=json","purl":"pkg:pypi/django@4.2.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4kcg-gx5y-cuaw"},{"vulnerability":"VCID-ga7z-wj4j-63h1"},{"vulnerability":"VCID-jybd-p65h-xffy"},{"vulnerability":"VCID-kxdd-yzp3-r7cb"},{"vulnerability":"VCID-phkp-9abp-f3dq"},{"vulnerability":"VCID-r1vx-vv7d-gqaj"},{"vulnerability":"VCID-shch-yusm-1uck"},{"vulnerability":"VCID-shjc-2j68-2yfy"},{"vulnerability":"VCID-tktt-vg92-6kae"},{"vulnerability":"VCID-tuqc-c251-h7ds"},{"vulnerability":"VCID-wa3g-27sx-mbcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.27"},{"url":"http://public2.vulnerablecode.io/api/packages/46602?format=json","purl":"pkg:pypi/django@5.1.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.15"},{"url":"http://public2.vulnerablecode.io/api/packages/46603?format=json","purl":"pkg:pypi/django@5.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4kcg-gx5y-cuaw"},{"vulnerability":"VCID-abpe-htm1-9ubp"},{"vulnerability":"VCID-eqsc-axng-ckca"},{"vulnerability":"VCID-ga7z-wj4j-63h1"},{"vulnerability":"VCID-jybd-p65h-xffy"},{"vulnerability":"VCID-kxdd-yzp3-r7cb"},{"vulnerability":"VCID-m4am-h2ea-3ffr"},{"vulnerability":"VCID-phkp-9abp-f3dq"},{"vulnerability":"VCID-r1vx-vv7d-gqaj"},{"vulnerability":"VCID-shch-yusm-1uck"},{"vulnerability":"VCID-shjc-2j68-2yfy"},{"vulnerability":"VCID-tktt-vg92-6kae"},{"vulnerability":"VCID-tuqc-c251-h7ds"},{"vulnerability":"VCID-wa3g-27sx-mbcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.2.9"}],"aliases":["CVE-2025-64460","GHSA-vrcr-9hj9-jcg6","PYSEC-2025-109"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fcg9-xypn-ykhf"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.15"}