Search for packages
| purl | pkg:pypi/django@5.1.13 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-84mm-45p6-xkau
Aliases: CVE-2025-64458 GHSA-qw25-v68c-qjf3 |
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-9uzd-mmyv-mfh4
Aliases: CVE-2025-64459 GHSA-frmv-pr5f-9mcr |
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. |
Affected by 2 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-ukkt-wgau-t3et
Aliases: CVE-2025-64460 GHSA-vrcr-9hj9-jcg6 |
Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-vwt9-q3dt-vbfg
Aliases: CVE-2025-13372 GHSA-rqw2-ghq9-44m7 |
Django is vulnerable to SQL injection in column aliases An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-c6xy-v4sf-u3hn | Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. |
CVE-2025-59682
GHSA-q95w-c7qg-hrff |
| VCID-mux4-uv98-hbbw | Django vulnerable to SQL injection in column aliases An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). |
CVE-2025-59681
GHSA-hpr9-3m2g-3j9p |