django
PyPI158 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting djangopage 3 of 4
- CVE-2022-34265CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.0.62022-07-04
vulnerable: 3.2 ... 4.0.5 (20 versions)
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the look…
- CVE-2022-36359HIGHCVSS 8.8EG 8.8✓ Fixed in 4.0.72022-08-03
vulnerable: 3.2 ... 4.0.6 (22 versions)
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when…
- CVE-2022-41323HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.22022-10-16
vulnerable: 3.2 ... 1.0 (36 versions)
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
- CVE-2023-23969HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.62023-02-01
vulnerable: 3.2 ... 4.1.5 (32 versions)
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usag…
- CVE-2023-24580HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.72023-02-15
vulnerable: 3.2 ... 4.1.6 (35 versions)
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open file…
- CVE-2023-31047CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.2.12023-05-07
vulnerable: 3.2 ... 4.2rc1 (49 versions)
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageFi…
- CVE-2023-36053HIGHCVSS 7.5EG 7.5✓ Fixed in 3.2.202023-07-03
vulnerable: 3.2 ... 4.2.2 (47 versions)
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and …
- CVE-2023-41164HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.52023-11-03
vulnerable: 3.2 ... 4.2.4 (37 versions)
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
- CVE-2023-43665HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.62023-11-03
vulnerable: 3.2 ... 4.2.5 (40 versions)
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with …
- CVE-2023-46695HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.72023-11-02
vulnerable: 3.2 ... 4.2.6 (43 versions)
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of ser…
- CVE-2024-24680HIGHCVSS 7.5EG 7.5✓ Fixed in 5.0.22024-02-06
vulnerable: 3.2 ... 5.0.1 (36 versions)
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
- CVE-2024-27351MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.0.32024-03-15
vulnerable: 3.2 ... 5.0.2 (39 versions)
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-servic…
- CVE-2024-38875HIGHCVSS 7.5EG 7.5✓ Fixed in 5.0.72024-07-10
vulnerable: 4.2 ... 5.0.6 (21 versions)
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
- CVE-2024-39329MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.2.142024-07-10
vulnerable: 4.2 ... 5.0.6 (21 versions)
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users…
- CVE-2024-39330MEDIUMCVSS 4.3EG 4.3✓ Fixed in 4.2.142024-07-10
vulnerable: 4.2 ... 5.0.6 (21 versions)
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the pa…
- CVE-2024-39614HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.142024-07-10
vulnerable: 4.2 ... 5.0.6 (21 versions)
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
- CVE-2024-41989HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.152024-08-07
vulnerable: 4.2 ... 5.0.7 (23 versions)
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large expon…
- CVE-2024-41990HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.152024-08-07
vulnerable: 4.2 ... 5.0.7 (23 versions)
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
- CVE-2024-41991HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.152024-08-07
vulnerable: 4.2 ... 5.0.7 (23 versions)
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very l…
- CVE-2024-42005HIGHCVSS 7.3EG 7.3✓ Fixed in 4.2.152024-08-07
vulnerable: 4.2 ... 5.0.7 (23 versions)
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
- CVE-2024-45230HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.162024-10-08
vulnerable: 4.2 ... 5.1 (26 versions)
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence…
- CVE-2024-45231MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.2.162024-10-08
vulnerable: 1.0.1 ... 4.2rc1 (352 versions)
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by send…
- CVE-2024-53907HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.172024-12-06
vulnerable: 4.2 ... 5.1.3 (31 versions)
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large seq…
- CVE-2024-53908CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.2.172024-12-06
vulnerable: 4.2 ... 5.1.3 (31 versions)
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is…
- CVE-2024-56374MEDIUMCVSS 5.8EG 5.8✓ Fixed in 4.2.182025-01-14
vulnerable: 4.2 ... 5.1.4 (34 versions)
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The u…
- CVE-2025-13372MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.2.92025-12-02
vulnerable: 4.2 ... 5.2.8 (51 versions)
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` pass…
- CVE-2025-13473MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.0.22026-02-03
vulnerable: 4.2 ... 6.0.1 (41 versions)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a …
- CVE-2025-14550HIGHCVSS 7.5EG 7.5✓ Fixed in 6.0.22026-02-03
vulnerable: 4.2 ... 6.0.1 (41 versions)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupporte…
- CVE-2025-26699MEDIUMCVSS 5.0EG 5.0✓ Fixed in 4.2.202025-03-06
vulnerable: 4.2 ... 5.1.6 (40 versions)
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long str…
- CVE-2025-27556MEDIUMCVSS 5.8EG 5.8✓ Fixed in 5.0.142025-04-02
vulnerable: 5.0 ... 5.1.7 (22 versions)
An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_lan…
- CVE-2025-32873MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.2.12025-05-08
vulnerable: 4.2 ... 5.2 (31 versions)
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing la…
- CVE-2025-48432MEDIUMCVSS 4.0EG 4.0✓ Fixed in 4.2.222025-06-05
vulnerable: 4.2 ... 5.2.1 (34 versions)
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs.…
- CVE-2025-57833HIGHCVSS 7.1EG 7.1✓ Fixed in 5.2.62025-09-03
vulnerable: 4.2 ... 5.2.5 (42 versions)
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs p…
- CVE-2025-59681HIGHCVSS 7.1EG 7.1✓ Fixed in 5.2.72025-10-01
vulnerable: 4.2 ... 5.2.6 (45 versions)
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a su…
- CVE-2025-59682LOWCVSS 3.1EG 3.1✓ Fixed in 5.2.72025-10-01
vulnerable: 5.2 ... 5.2.6 (7 versions)
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory t…
- CVE-2025-64458HIGHCVSS 7.5EG 7.5✓ Fixed in 5.2.82025-11-05
vulnerable: 4.2 ... 5.2.7 (48 versions)
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and …
- CVE-2025-64459CRITICALCVSS 9.1EG 9.1✓ Fixed in 5.2.82025-11-05
vulnerable: 4.2 ... 5.2.7 (48 versions)
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably cra…
- CVE-2025-64460HIGHCVSS 7.5EG 7.5✓ Fixed in 5.2.92025-12-02
vulnerable: 4.2 ... 5.2.8 (51 versions)
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack…
- CVE-2026-1207MEDIUMCVSS 5.4EG 5.4✓ Fixed in 6.0.22026-02-03
vulnerable: 4.2 ... 6.0.1 (41 versions)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported…
- CVE-2026-1285HIGHCVSS 7.5EG 7.5✓ Fixed in 6.0.22026-02-03
vulnerable: 4.2 ... 6.0.1 (41 versions)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template …
- CVE-2026-1287MEDIUMCVSS 5.4EG 5.4✓ Fixed in 6.0.22026-02-03
vulnerable: 4.2 ... 6.0.1 (41 versions)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion,…
- CVE-2026-1312MEDIUMCVSS 5.4EG 5.4✓ Fixed in 6.0.22026-02-03
vulnerable: 4.2 ... 6.0.1 (41 versions)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, wit…
- CVE-2026-33033MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.0.42026-04-07
vulnerable: 4.2 ... 6.0.3 (47 versions)
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including exce…
- CVE-2026-33034HIGHCVSS 7.5EG 7.5✓ Fixed in 6.0.42026-04-07
vulnerable: 4.2 ... 6.0.3 (47 versions)
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.bod…
- CVE-2026-35192MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.0.52026-05-05
vulnerable: 5.2 ... 6.0.4 (19 versions)
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that us…
- CVE-2026-35193LOWCVSS 3.1EG 3.1✓ Fixed in 6.0.62026-06-03
vulnerable: 5.2 ... 6.0.5 (21 versions)
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-…
- CVE-2026-3902HIGHCVSS 7.5EG 7.5✓ Fixed in 6.0.42026-04-07
vulnerable: 4.2 ... 6.0.3 (47 versions)
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to …
- CVE-2026-4277CRITICALCVSS 9.8EG 9.8✓ Fixed in 6.0.42026-04-07
vulnerable: 4.2 ... 6.0.3 (47 versions)
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Dja…
- CVE-2026-4292LOWCVSS 2.7EG 2.7✓ Fixed in 6.0.42026-04-07
vulnerable: 4.2 ... 6.0.3 (47 versions)
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Dj…
- CVE-2026-48587MEDIUMCVSS 5.3EG 3.1✓ Fixed in 6.0.62026-06-03
vulnerable: 5.2 ... 6.0.5 (21 versions)
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows rem…
Check whether django is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for django CVEs against the assets you own.
Start Free Scan →