Search for packages
| purl | pkg:pypi/django@4.2.16 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4c4n-p117-sqcv
Aliases: BIT-django-2025-26699 CVE-2025-26699 GHSA-p3fp-8748-vqfq PYSEC-2025-13 |
django: Potential denial-of-service vulnerability in django.utils.text.wrap() |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6eh4-7hcj-duft
Aliases: BIT-django-2025-32873 CVE-2025-32873 GHSA-8j24-cjrq-gr2m PYSEC-2025-37 |
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags(). |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-ewxh-f1q5-kyaa
Aliases: BIT-django-2024-56374 CVE-2024-56374 GHSA-qcgg-j2x8-h9g8 PYSEC-2025-1 |
django: potential denial-of-service vulnerability in IPv6 validation |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-fuhn-4eep-23b5
Aliases: BIT-django-2024-53908 CVE-2024-53908 GHSA-m9g8-fxxm-xg86 PYSEC-2024-157 |
Django SQL injection in HasKey(lhs, rhs) on Oracle |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-uzhs-cg7d-jycp
Aliases: BIT-django-2024-53907 CVE-2024-53907 GHSA-8498-2h75-472j PYSEC-2024-156 |
Django denial-of-service in django.utils.html.strip_tags() |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-zdny-8vuh-9ycv
Aliases: CVE-2025-48432 GHSA-7xr5-9hcq-chf9 PYSEC-2025-47 |
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-c291-japf-r3a8 | An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. |
BIT-django-2024-45230
CVE-2024-45230 GHSA-5hgc-2vfp-mqvc PYSEC-2024-102 |
| VCID-dapt-wsva-ubfv | An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). |
CVE-2024-45231
GHSA-rrqc-c2jx-6jgv |