Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/django@5.1.14
purl pkg:pypi/django@5.1.14
Next non-vulnerable version 5.1.15
Latest non-vulnerable version 6.0.4
Risk 3.4
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-ukkt-wgau-t3et
Aliases:
CVE-2025-64460
GHSA-vrcr-9hj9-jcg6
Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
5.1.15
Affected by 0 other vulnerabilities.
5.2.9
Affected by 8 other vulnerabilities.
6.0a1
Affected by 6 other vulnerabilities.
VCID-vwt9-q3dt-vbfg
Aliases:
CVE-2025-13372
GHSA-rqw2-ghq9-44m7
Django is vulnerable to SQL injection in column aliases An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
5.1.15
Affected by 0 other vulnerabilities.
5.2.9
Affected by 8 other vulnerabilities.
6.0a1
Affected by 6 other vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-84mm-45p6-xkau Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. CVE-2025-64458
GHSA-qw25-v68c-qjf3
VCID-9uzd-mmyv-mfh4 Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. CVE-2025-64459
GHSA-frmv-pr5f-9mcr

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-17T00:01:03.953603+00:00 GitLab Importer Affected by VCID-ukkt-wgau-t3et https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64460.yml 38.4.0
2026-04-17T00:00:48.708317+00:00 GitLab Importer Affected by VCID-vwt9-q3dt-vbfg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-13372.yml 38.4.0
2026-04-12T01:23:57.737288+00:00 GitLab Importer Affected by VCID-ukkt-wgau-t3et https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64460.yml 38.3.0
2026-04-12T01:23:40.237421+00:00 GitLab Importer Affected by VCID-vwt9-q3dt-vbfg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-13372.yml 38.3.0
2026-04-03T01:32:37.550485+00:00 GitLab Importer Affected by VCID-ukkt-wgau-t3et https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64460.yml 38.1.0
2026-04-03T01:32:20.127041+00:00 GitLab Importer Affected by VCID-vwt9-q3dt-vbfg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-13372.yml 38.1.0
2026-04-01T16:07:05.133383+00:00 GHSA Importer Fixing VCID-84mm-45p6-xkau https://github.com/advisories/GHSA-qw25-v68c-qjf3 38.0.0
2026-04-01T16:07:05.097322+00:00 GHSA Importer Fixing VCID-9uzd-mmyv-mfh4 https://github.com/advisories/GHSA-frmv-pr5f-9mcr 38.0.0
2026-04-01T12:56:27.990482+00:00 GithubOSV Importer Fixing VCID-84mm-45p6-xkau https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-qw25-v68c-qjf3/GHSA-qw25-v68c-qjf3.json 38.0.0
2026-04-01T12:56:27.202100+00:00 GithubOSV Importer Fixing VCID-9uzd-mmyv-mfh4 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-frmv-pr5f-9mcr/GHSA-frmv-pr5f-9mcr.json 38.0.0
2026-04-01T12:53:08.496729+00:00 GitLab Importer Fixing VCID-84mm-45p6-xkau https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64458.yml 38.0.0
2026-04-01T12:53:08.340981+00:00 GitLab Importer Fixing VCID-9uzd-mmyv-mfh4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64459.yml 38.0.0