VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-c6xy-v4sf-u3hn

Essentials
Severities (33)
References (45)
Severity details (24)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-c6xy-v4sf-u3hn
Aliases	CVE-2025-59682 GHSA-q95w-c7qg-hrff
Summary	Django vulnerable to partial directory traversal via archives An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Status	Published
Exploitability	0.5
Weighted Severity	7.9
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-23	Relative Path Traversal
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59682.json
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2025-59682
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2025-59682
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2025-59682
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2025-59682
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2025-59682
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2025-59682
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2025-59682
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2025-59682
epss	0.0002	https://api.first.org/data/v1/epss?cve=CVE-2025-59682
cvssv3.1	3.1	https://docs.djangoproject.com/en/dev/releases/security
generic_textual	LOW	https://docs.djangoproject.com/en/dev/releases/security
cvssv3.1	3.1	https://docs.djangoproject.com/en/dev/releases/security/
ssvc	Track	https://docs.djangoproject.com/en/dev/releases/security/
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-q95w-c7qg-hrff
cvssv3.1	3.1	https://github.com/django/django
generic_textual	LOW	https://github.com/django/django
cvssv3.1	3.1	https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e
generic_textual	LOW	https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e
cvssv3.1	3.1	https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2
generic_textual	LOW	https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2
cvssv3.1	3.1	https://groups.google.com/g/django-announce
generic_textual	LOW	https://groups.google.com/g/django-announce
ssvc	Track	https://groups.google.com/g/django-announce
cvssv3.1	3.1	https://nvd.nist.gov/vuln/detail/CVE-2025-59682
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2025-59682
cvssv3.1	3.1	https://www.djangoproject.com/weblog/2025/oct/01/security-releases
generic_textual	LOW	https://www.djangoproject.com/weblog/2025/oct/01/security-releases
cvssv3.1	3.1	https://www.djangoproject.com/weblog/2025/oct/01/security-releases/
ssvc	Track	https://www.djangoproject.com/weblog/2025/oct/01/security-releases/
cvssv3.1	3.1	http://www.openwall.com/lists/oss-security/2025/10/01/3
generic_textual	LOW	http://www.openwall.com/lists/oss-security/2025/10/01/3

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59682.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-59682
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460
		https://docs.djangoproject.com/en/dev/releases/security
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/django/django
		https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e
		https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2
		https://groups.google.com/g/django-announce
		https://www.djangoproject.com/weblog/2025/oct/01/security-releases
		http://www.openwall.com/lists/oss-security/2025/10/01/3
1116979		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116979
2400450		https://bugzilla.redhat.com/show_bug.cgi?id=2400450
CVE-2025-59682		https://nvd.nist.gov/vuln/detail/CVE-2025-59682
GHSA-q95w-c7qg-hrff		https://github.com/advisories/GHSA-q95w-c7qg-hrff
RHSA-2025:18979		https://access.redhat.com/errata/RHSA-2025:18979
RHSA-2025:18984		https://access.redhat.com/errata/RHSA-2025:18984
RHSA-2025:19201		https://access.redhat.com/errata/RHSA-2025:19201
RHSA-2025:19221		https://access.redhat.com/errata/RHSA-2025:19221
RHSA-2025:23196		https://access.redhat.com/errata/RHSA-2025:23196
RHSA-2026:0414		https://access.redhat.com/errata/RHSA-2026:0414
security-releases		https://www.djangoproject.com/weblog/2025/oct/01/security-releases/
USN-7794-1		https://usn.ubuntu.com/7794-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59682.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://docs.djangoproject.com/en/dev/releases/security

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://docs.djangoproject.com/en/dev/releases/security/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-01T19:10:29Z/ Found at https://docs.djangoproject.com/en/dev/releases/security/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/django/django

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/django/django/commit/924a0c092e65fa2d0953fd1855d2dc8786d94de2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://groups.google.com/g/django-announce

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-01T19:10:29Z/ Found at https://groups.google.com/g/django-announce

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-59682

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://www.djangoproject.com/weblog/2025/oct/01/security-releases

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://www.djangoproject.com/weblog/2025/oct/01/security-releases/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-01T19:10:29Z/ Found at https://www.djangoproject.com/weblog/2025/oct/01/security-releases/

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Found at http://www.openwall.com/lists/oss-security/2025/10/01/3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.05204
EPSS Score	0.0002
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:56.901520+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-59682.yml	38.0.0