Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/django@5.1.12
purl pkg:pypi/django@5.1.12
Next non-vulnerable version 5.1.15
Latest non-vulnerable version 6.0.4
Risk 10.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-84mm-45p6-xkau
Aliases:
CVE-2025-64458
GHSA-qw25-v68c-qjf3
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
5.1.14
Affected by 2 other vulnerabilities.
5.2.8
Affected by 10 other vulnerabilities.
6.0a1
Affected by 6 other vulnerabilities.
VCID-9uzd-mmyv-mfh4
Aliases:
CVE-2025-64459
GHSA-frmv-pr5f-9mcr
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
5.1.14
Affected by 2 other vulnerabilities.
5.2.8
Affected by 10 other vulnerabilities.
6.0a1
Affected by 6 other vulnerabilities.
VCID-c6xy-v4sf-u3hn
Aliases:
CVE-2025-59682
GHSA-q95w-c7qg-hrff
Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
5.1.13
Affected by 4 other vulnerabilities.
5.2a1
Affected by 11 other vulnerabilities.
5.2.7
Affected by 12 other vulnerabilities.
6.0a1
Affected by 6 other vulnerabilities.
VCID-mux4-uv98-hbbw
Aliases:
CVE-2025-59681
GHSA-hpr9-3m2g-3j9p
Django vulnerable to SQL injection in column aliases An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
5.1.13
Affected by 4 other vulnerabilities.
5.2a1
Affected by 11 other vulnerabilities.
5.2.7
Affected by 12 other vulnerabilities.
6.0a1
Affected by 6 other vulnerabilities.
VCID-ukkt-wgau-t3et
Aliases:
CVE-2025-64460
GHSA-vrcr-9hj9-jcg6
Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
5.1.15
Affected by 0 other vulnerabilities.
5.2.9
Affected by 8 other vulnerabilities.
6.0a1
Affected by 6 other vulnerabilities.
VCID-vwt9-q3dt-vbfg
Aliases:
CVE-2025-13372
GHSA-rqw2-ghq9-44m7
Django is vulnerable to SQL injection in column aliases An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
5.1.15
Affected by 0 other vulnerabilities.
5.2.9
Affected by 8 other vulnerabilities.
6.0a1
Affected by 6 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-w4pr-k5nj-ckgy Django is subject to SQL injection through its column aliases An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). CVE-2025-57833
GHSA-6w2r-r2m5-xq5w

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-17T00:01:03.946696+00:00 GitLab Importer Affected by VCID-ukkt-wgau-t3et https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64460.yml 38.4.0
2026-04-17T00:00:48.701606+00:00 GitLab Importer Affected by VCID-vwt9-q3dt-vbfg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-13372.yml 38.4.0
2026-04-16T23:51:37.107362+00:00 GitLab Importer Affected by VCID-84mm-45p6-xkau https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64458.yml 38.4.0
2026-04-16T23:51:34.276788+00:00 GitLab Importer Affected by VCID-9uzd-mmyv-mfh4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64459.yml 38.4.0
2026-04-16T23:46:42.953620+00:00 GitLab Importer Affected by VCID-c6xy-v4sf-u3hn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-59682.yml 38.4.0
2026-04-16T23:46:39.024330+00:00 GitLab Importer Affected by VCID-mux4-uv98-hbbw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-59681.yml 38.4.0
2026-04-16T23:40:26.944388+00:00 GitLab Importer Fixing VCID-w4pr-k5nj-ckgy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-57833.yml 38.4.0
2026-04-12T01:23:57.729535+00:00 GitLab Importer Affected by VCID-ukkt-wgau-t3et https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64460.yml 38.3.0
2026-04-12T01:23:40.230014+00:00 GitLab Importer Affected by VCID-vwt9-q3dt-vbfg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-13372.yml 38.3.0
2026-04-12T01:13:11.073771+00:00 GitLab Importer Affected by VCID-84mm-45p6-xkau https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64458.yml 38.3.0
2026-04-12T01:13:07.678511+00:00 GitLab Importer Affected by VCID-9uzd-mmyv-mfh4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64459.yml 38.3.0
2026-04-12T01:07:53.777563+00:00 GitLab Importer Affected by VCID-c6xy-v4sf-u3hn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-59682.yml 38.3.0
2026-04-12T01:07:49.585628+00:00 GitLab Importer Affected by VCID-mux4-uv98-hbbw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-59681.yml 38.3.0
2026-04-12T01:01:13.696673+00:00 GitLab Importer Fixing VCID-w4pr-k5nj-ckgy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-57833.yml 38.3.0
2026-04-07T04:58:42.961437+00:00 GHSA Importer Fixing VCID-w4pr-k5nj-ckgy https://github.com/advisories/GHSA-6w2r-r2m5-xq5w 38.1.0
2026-04-03T01:32:37.543144+00:00 GitLab Importer Affected by VCID-ukkt-wgau-t3et https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64460.yml 38.1.0
2026-04-03T01:32:20.119555+00:00 GitLab Importer Affected by VCID-vwt9-q3dt-vbfg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-13372.yml 38.1.0
2026-04-03T01:22:07.802015+00:00 GitLab Importer Affected by VCID-84mm-45p6-xkau https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64458.yml 38.1.0
2026-04-03T01:22:04.624865+00:00 GitLab Importer Affected by VCID-9uzd-mmyv-mfh4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64459.yml 38.1.0
2026-04-03T01:16:32.138481+00:00 GitLab Importer Affected by VCID-c6xy-v4sf-u3hn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-59682.yml 38.1.0
2026-04-03T01:16:27.728662+00:00 GitLab Importer Affected by VCID-mux4-uv98-hbbw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-59681.yml 38.1.0
2026-04-03T01:09:28.404292+00:00 GitLab Importer Fixing VCID-w4pr-k5nj-ckgy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-57833.yml 38.1.0
2026-04-02T12:42:09.061836+00:00 GitLab Importer Fixing VCID-w4pr-k5nj-ckgy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-57833.yml 38.0.0
2026-04-01T12:55:05.197463+00:00 GithubOSV Importer Fixing VCID-w4pr-k5nj-ckgy https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-6w2r-r2m5-xq5w/GHSA-6w2r-r2m5-xq5w.json 38.0.0