Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-gfym-spzk-w7gk
Vulnerability ID VCID-gfym-spzk-w7gk
Aliases CVE-2026-4277
GHSA-pwjp-ccjc-ghwg
Summary
Status Published
Exploitability 0.5
Weighted Severity 4.9
Risk 2.5
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-862 Missing Authorization
CWE-639 Authorization Bypass Through User-Controlled Key
System Score Found at
cvssv3 5.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4277.json
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-4277
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-4277
epss 0.0004 https://api.first.org/data/v1/epss?cve=CVE-2026-4277
epss 0.0004 https://api.first.org/data/v1/epss?cve=CVE-2026-4277
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2026-4277
cvssv4 2.3 https://docs.djangoproject.com/en/dev/releases/security
generic_textual LOW https://docs.djangoproject.com/en/dev/releases/security
cvssv3.1 5.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr LOW https://github.com/advisories/GHSA-pwjp-ccjc-ghwg
cvssv4 2.3 https://github.com/django/django
generic_textual LOW https://github.com/django/django
cvssv4 2.3 https://groups.google.com/g/django-announce
generic_textual LOW https://groups.google.com/g/django-announce
cvssv4 2.3 https://nvd.nist.gov/vuln/detail/CVE-2026-4277
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2026-4277
cvssv4 2.3 https://www.djangoproject.com/weblog/2026/apr/07/security-releases
generic_textual LOW https://www.djangoproject.com/weblog/2026/apr/07/security-releases
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4277.json
https://api.first.org/data/v1/epss?cve=CVE-2026-4277
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4277
https://docs.djangoproject.com/en/dev/releases/security
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/django/django
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2026/apr/07/security-releases
1132927 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927
2455939 https://bugzilla.redhat.com/show_bug.cgi?id=2455939
CVE-2026-4277 https://nvd.nist.gov/vuln/detail/CVE-2026-4277
GHSA-pwjp-ccjc-ghwg https://github.com/advisories/GHSA-pwjp-ccjc-ghwg
USN-8154-1 https://usn.ubuntu.com/8154-1/
USN-8154-2 https://usn.ubuntu.com/8154-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4277.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://docs.djangoproject.com/en/dev/releases/security
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://groups.google.com/g/django-announce
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-4277
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://www.djangoproject.com/weblog/2026/apr/07/security-releases
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0197
EPSS Score 0.00013
Published At April 8, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-08T00:02:32.523368+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/8154-1/ 38.1.0