django
PyPI158 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting djangopage 4 of 4
- CVE-2026-48588MEDIUMCVSS 5.3EG 3.1✓ Fixed in 6.0.72026-07-07
vulnerable: 5.2 ... 6.0.6 (23 versions)
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remot…
- CVE-2026-53877MEDIUMCVSS 4.8EG 4.8✓ Fixed in 6.0.72026-07-07
vulnerable: 5.2 ... 6.0.6 (23 versions)
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degrad…
- CVE-2026-53878MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.0.72026-07-07
vulnerable: 5.2 ... 6.0.6 (23 versions)
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values wit…
- CVE-2026-5766MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.0.52026-05-05
vulnerable: 5.2 ... 6.0.4 (19 versions)
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and caus…
- CVE-2026-6873MEDIUMCVSS 4.3EG 3.1✓ Fixed in 6.0.62026-06-03
vulnerable: 5.2 ... 6.0.5 (21 versions)
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote a…
- CVE-2026-6907MEDIUMCVSS 4.3EG 4.3✓ Fixed in 6.0.52026-05-05
vulnerable: 5.2 ... 6.0.4 (19 versions)
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being store…
- CVE-2026-7666LOWCVSS 3.1EG 3.1✓ Fixed in 6.0.62026-06-03
vulnerable: 5.2 ... 6.0.5 (21 versions)
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_s…
- CVE-2026-8404MEDIUMCVSS 5.3EG 3.1✓ Fixed in 6.0.62026-06-03
vulnerable: 5.2 ... 6.0.5 (21 versions)
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to rea…
Check whether django is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for django CVEs against the assets you own.
Start Free Scan →