Skip to main content

Django CVE-2026-27982

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-03-05 vultures@jpcert.or.jp GHSA-2jpr-83rg-v67j
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on django-allauth (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 65.14.1.

DescriptionCVE.org

An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), which may allow an attacker to redirect users to an arbitrary external website via a crafted URL.

AnalysisAI

Allauth versions up to 65.14.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Technical ContextAI

This vulnerability (CWE-601: URL Redirection to Untrusted Site (Open Redirect)) affects Allauth. An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), which may allow an attacker to redirect users to an arbitrary external website via a crafted URL.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More in Django

View all
CVE-2017-12794 MEDIUM POC
6.1 Sep 07

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for

CVE-2022-34265 CRITICAL POC
9.8 Jul 04

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Rated critical severity (CVSS 9.8), this vulne

CVE-2021-35042 CRITICAL POC
9.8 Jul 02

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input

CVE-2019-19844 CRITICAL POC
9.8 Dec 18

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. Rated critical severity (CVSS 9.8

CVE-2020-9402 HIGH POC
8.8 Mar 05

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a

CVE-2016-6186 MEDIUM POC
6.1 Aug 05

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/j

CVE-2025-57833 HIGH POC
7.1 Sep 03

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. Rated high severity (CVSS

CVE-2015-5143 HIGH
7.8 Jul 14

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows rem

CVE-2015-0221 MEDIUM POC
5.0 Jan 16

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an e

CVE-2014-0474 CRITICAL
10.0 Apr 23

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.

CVE-2026-1207 MEDIUM POC
5.4 Feb 03

SQL injection in Django's PostGIS RasterField lookups allows authenticated attackers to execute arbitrary SQL commands t

CVE-2016-9013 CRITICAL
9.8 Dec 09

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary datab

Vendor StatusVendor

Share

CVE-2026-27982 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy