Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Django

BOS ID

-
BOSS-VENDOR-65731

Tags

-
N/A

Related Bos

-
N/A

Note

-

https://en.wikipedia.org/wiki/Django_(web_framework) https://github.com/django https://www.djangoproject.com/ https://www.djangoproject.com/foundation/

Mapped CVEsMapped VendorsRelated AssignersReports
158Vulnerabilities found

CVE-2026-53878
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.15%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 14:10
Updated-09 Jul, 2026 | 12:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Header injection possibility since DomainNameValidator accepted newlines in input

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-144
Improper Neutralization of Line Delimiters
CVE-2026-53877
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-6.3||MEDIUM
EPSS-0.29% / 21.09%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 14:10
Updated-09 Jul, 2026 | 12:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Heap buffer over-read in GDALRaster

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a potential segmentation fault when the `vsi_buffer` property is accessed. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-805
Buffer Access with Incorrect Length Value
CVE-2026-48588
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-2.3||LOW
EPSS-0.38% / 29.77%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 14:09
Updated-09 Jul, 2026 | 13:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential exposure of private data via cached Set-Cookie response

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Chris Whyland for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-524
Use of Cache Containing Sensitive Information
CVE-2026-44546
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-3.7||LOW
EPSS-0.17% / 6.85%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 13:17
Updated-15 Jun, 2026 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.

Action-Not Available
Vendor-Django
Product-daphnedaphne
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2026-44545
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.91%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 13:17
Updated-15 Jun, 2026 | 19:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

Action-Not Available
Vendor-Django
Product-daphnedaphne
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-48587
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-2.3||LOW
EPSS-0.35% / 27.65%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 13:16
Updated-05 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential exposure of private data via whitespace padding in Vary header

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-1023
Incomplete Comparison with Missing Factors
CVE-2026-35193
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-2.3||LOW
EPSS-0.36% / 28.14%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 13:16
Updated-05 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-524
Use of Cache Containing Sensitive Information
CVE-2026-8404
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-2.3||LOW
EPSS-0.29% / 20.44%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 13:16
Updated-05 Jun, 2026 | 12:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-178
Improper Handling of Case Sensitivity
CVE-2026-7666
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-2.3||LOW
EPSS-0.15% / 4.66%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 13:16
Updated-05 Jun, 2026 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential unencrypted email transmission via STARTTLS in the SMTP backend

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2026-6873
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-2.3||LOW
EPSS-0.24% / 15.67%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 13:16
Updated-05 Jun, 2026 | 12:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2026-35192
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-2.3||LOW
EPSS-0.54% / 42.01%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 14:50
Updated-06 May, 2026 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Action-Not Available
Vendor-Django
Product-Django
CWE ID-CWE-539
Use of Persistent Cookies Containing Sensitive Information
CVE-2026-6907
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-2.3||LOW
EPSS-0.36% / 28.09%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 14:50
Updated-07 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-524
Use of Cache Containing Sensitive Information
CVE-2026-5766
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-6.3||MEDIUM
EPSS-0.42% / 34.34%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 14:49
Updated-07 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CVE-2026-33034
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-7.5||HIGH
EPSS-0.77% / 51.46%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 14:22
Updated-13 Apr, 2026 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-33033
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-6.5||MEDIUM
EPSS-0.88% / 55.02%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 14:22
Updated-13 Apr, 2026 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2026-4292
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-2.7||LOW
EPSS-0.29% / 21.29%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 14:22
Updated-13 Apr, 2026 | 17:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege abuse in ModelAdmin.list_editable

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-862
Missing Authorization
CVE-2026-4277
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 36.93%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 14:22
Updated-23 Jun, 2026 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege abuse in GenericInlineModelAdmin

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-862
Missing Authorization
CVE-2026-3902
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-7.5||HIGH
EPSS-0.44% / 35.32%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 14:22
Updated-13 Apr, 2026 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ASGI header spoofing via underscore/hyphen conflation

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-25674
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-3.7||LOW
EPSS-0.34% / 26.35%
||
7 Day CHG~0.00%
Published-03 Mar, 2026 | 14:28
Updated-05 Mar, 2026 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential incorrect permissions on newly created file system objects

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2026-25673
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-7.5||HIGH
EPSS-0.73% / 50.30%
||
7 Day CHG~0.00%
Published-03 Mar, 2026 | 14:28
Updated-15 Jul, 2026 | 02:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Action-Not Available
Vendor-DjangoRed Hat, Inc.
Product-djangoDjangoRed Hat Satellite 6Red Hat Ansible Automation Platform 2Red Hat Discovery 2
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-14550
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-7.5||HIGH
EPSS-0.99% / 58.69%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:38
Updated-04 Feb, 2026 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential denial-of-service vulnerability via repeated headers when using ASGI

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoasgirefDjango
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2026-1312
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-5.4||MEDIUM
EPSS-0.80% / 52.54%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:36
Updated-15 Jul, 2026 | 02:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection via QuerySet.order_by and FilteredRelation

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Action-Not Available
Vendor-Red Hat, Inc.Django
Product-djangoDjangoRed Hat OpenStack Platform 16.2Red Hat OpenStack Platform 18.0Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Satellite 6.16 for RHEL 9Red Hat Satellite 6.16 for RHEL 8Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Satellite 6.18Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Satellite 6.18 for RHEL 9Red Hat Ansible Automation Platform 2Red Hat Ansible Automation Platform 2.5Red Hat Update Infrastructure 4 for Cloud ProvidersRed Hat Satellite 6.17 for RHEL 9Red Hat Satellite 6Red Hat Discovery 2Red Hat OpenStack Platform 17.1Red Hat Ansible Automation Platform 2.6
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-1287
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-5.4||MEDIUM
EPSS-0.75% / 50.94%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:36
Updated-15 Jul, 2026 | 02:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection in column aliases via control characters

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Action-Not Available
Vendor-Red Hat, Inc.Django
Product-djangoDjangoRed Hat OpenStack Platform 16.2Red Hat OpenStack Platform 18.0Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Satellite 6.16 for RHEL 9Red Hat Satellite 6.16 for RHEL 8Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Satellite 6.18Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Satellite 6.18 for RHEL 9Red Hat Ansible Automation Platform 2Red Hat Ansible Automation Platform 2.5Red Hat Update Infrastructure 4 for Cloud ProvidersRed Hat Satellite 6.17 for RHEL 9Red Hat Satellite 6Red Hat Discovery 2Red Hat OpenStack Platform 17.1Red Hat Ansible Automation Platform 2.6
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-1285
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-7.5||HIGH
EPSS-0.99% / 58.69%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:35
Updated-04 Feb, 2026 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2026-1207
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-5.4||MEDIUM
EPSS-9.44% / 94.87%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:35
Updated-15 Jul, 2026 | 11:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection via raster lookups on PostGIS

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Action-Not Available
Vendor-Red Hat, Inc.Django
Product-djangoDjangoRed Hat OpenStack Platform 16.2Red Hat OpenStack Platform 18.0Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Satellite 6.16 for RHEL 9Red Hat Satellite 6.16 for RHEL 8Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Satellite 6.18Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Satellite 6.18 for RHEL 9Red Hat Ansible Automation Platform 2Red Hat Ansible Automation Platform 2.5Red Hat Update Infrastructure 4 for Cloud ProvidersRed Hat Satellite 6.17 for RHEL 9Red Hat Satellite 6Red Hat Discovery 2Red Hat OpenStack Platform 17.1Red Hat Ansible Automation Platform 2.6
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-13473
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-5.3||MEDIUM
EPSS-0.71% / 49.54%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:32
Updated-04 Feb, 2026 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Username enumeration through timing difference in mod_wsgi authentication handler

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-208
Observable Timing Discrepancy
CVE-2025-64460
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-7.5||HIGH
EPSS-2.14% / 80.02%
||
7 Day CHG~0.00%
Published-02 Dec, 2025 | 15:15
Updated-10 Dec, 2025 | 21:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential denial-of-service vulnerability in XML serializer text extraction

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2025-13372
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-4.3||MEDIUM
EPSS-0.90% / 55.76%
||
7 Day CHG~0.00%
Published-02 Dec, 2025 | 15:13
Updated-12 Dec, 2025 | 12:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection in FilteredRelation column aliases on PostgreSQL

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-64459
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-9.1||CRITICAL
EPSS-19.40% / 97.05%
||
7 Day CHG~0.00%
Published-05 Nov, 2025 | 15:09
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection via _connector keyword argument in QuerySet and Q objects

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-64458
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-7.5||HIGH
EPSS-1.93% / 77.74%
||
7 Day CHG~0.00%
Published-05 Nov, 2025 | 15:07
Updated-10 Nov, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2025-59681
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.1||HIGH
EPSS-0.58% / 43.99%
||
7 Day CHG~0.00%
Published-01 Oct, 2025 | 00:00
Updated-04 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-59682
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-3.1||LOW
EPSS-0.85% / 54.08%
||
7 Day CHG~0.00%
Published-01 Oct, 2025 | 00:00
Updated-04 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-23
Relative Path Traversal
CVE-2025-57833
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.1||HIGH
EPSS-15.60% / 96.47%
||
7 Day CHG~0.00%
Published-03 Sep, 2025 | 00:00
Updated-04 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-48432
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-4||MEDIUM
EPSS-0.63% / 46.12%
||
7 Day CHG+0.03%
Published-05 Jun, 2025 | 00:00
Updated-15 Oct, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

Action-Not Available
Vendor-DjangoDebian GNU/Linux
Product-debian_linuxdjangoDjango
CWE ID-CWE-117
Improper Output Neutralization for Logs
CVE-2025-32873
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-14.24% / 96.19%
||
7 Day CHG~0.00%
Published-08 May, 2025 | 00:00
Updated-02 Sep, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-27556
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.8||MEDIUM
EPSS-1.00% / 58.79%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 00:00
Updated-03 Oct, 2025 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

Action-Not Available
Vendor-Microsoft CorporationDjango
Product-djangowindowsDjango
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-26699
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.77% / 51.39%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 00:00
Updated-03 Oct, 2025 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.

Action-Not Available
Vendor-DjangoDebian GNU/Linux
Product-djangodebian_linuxDjango
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-56374
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.8||MEDIUM
EPSS-1.89% / 77.19%
||
7 Day CHG+0.03%
Published-14 Jan, 2025 | 00:00
Updated-03 Oct, 2025 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)

Action-Not Available
Vendor-DjangoDebian GNU/Linux
Product-djangodebian_linuxDjango
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-53907
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.40% / 69.39%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 00:00
Updated-31 Dec, 2024 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.

Action-Not Available
Vendor-n/aDjango
Product-n/adjango
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-53908
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.42% / 69.93%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 00:00
Updated-09 Jun, 2025 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-45230
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-25.78% / 97.74%
||
7 Day CHG+0.46%
Published-08 Oct, 2024 | 00:00
Updated-17 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2024-45231
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.78% / 51.87%
||
7 Day CHG-0.02%
Published-08 Oct, 2024 | 00:00
Updated-17 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-203
Observable Discrepancy
CVE-2024-41991
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.95% / 57.18%
||
7 Day CHG-0.01%
Published-07 Aug, 2024 | 00:00
Updated-04 Nov, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CVE-2024-41989
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.20% / 64.71%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-04 Nov, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-42005
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 65.49%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-04 Nov, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-41990
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.26% / 66.30%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-04 Nov, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CVE-2024-38875
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.19% / 64.36%
||
7 Day CHG~0.00%
Published-10 Jul, 2024 | 00:00
Updated-04 Nov, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CVE-2024-39330
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.00% / 58.90%
||
7 Day CHG-0.01%
Published-10 Jul, 2024 | 00:00
Updated-04 Nov, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

Action-Not Available
Vendor-n/aDjango
Product-djangon/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-39614
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-28.64% / 97.92%
||
7 Day CHG~0.00%
Published-10 Jul, 2024 | 00:00
Updated-04 Nov, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CVE-2024-39329
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.88% / 55.11%
||
7 Day CHG-0.01%
Published-10 Jul, 2024 | 00:00
Updated-04 Nov, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-208
Observable Timing Discrepancy
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next