Skip to main content

Django

116 CVEs product

Monthly

CVE-2026-53878 PyPI MEDIUM PATCH This Month

Header injection in Django's DomainNameValidator allows network attackers to inject arbitrary HTTP response headers when applications pass validator-accepted domain values directly into HTTP responses, affecting Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The validator silently accepts embedded newline characters in domain name strings, enabling HTTP response splitting that can facilitate session hijacking, open redirects, or cross-site scripting against end users. No public exploit code or CISA KEV listing exists at time of analysis; practical risk is narrowed significantly by Django's HttpResponse class independently rejecting newlines, meaning only non-standard code paths are exploitable.

Code Injection Python Django
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53877 PyPI MEDIUM PATCH This Month

Memory over-read in Django's GIS module allows unauthenticated remote attackers to potentially disclose adjacent heap memory or degrade service availability via a segmentation fault. The `django.contrib.gis.gdal.GDALRaster` class fails to correctly bound its read when constructed from a bytes object, exposing raw memory when the `vsi_buffer` property is subsequently accessed. Affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16; no public exploit identified at time of analysis and not listed in CISA KEV.

Python Information Disclosure Django
NVD VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-48588 PyPI LOW PATCH Monitor

Cache poisoning in Django's UpdateCacheMiddleware and cache_page() decorator exposes private user data to unauthenticated remote attackers by incorrectly serving cached responses across different cookie contexts. Versions 6.0 before 6.0.7 and 5.2 before 5.2.16 are confirmed affected; older unsupported branches (5.0.x, 4.1.x, 3.2.x) were not evaluated but may share the flaw. No public exploit or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects meaningful preconditions, though the data-disclosure consequence for applications serving personalized, cookie-gated content through a shared cache is concrete.

Python Information Disclosure Django
NVD VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-30244 PyPI HIGH This Week

Unauthenticated attackers can enumerate workspace members and harvest sensitive information including email addresses, user roles, and internal identifiers from Plane prior to version 1.2.2 due to misconfigured Django REST Framework permissions. The vulnerability requires no authentication or user interaction and allows remote attackers to directly access protected endpoints over the network. No patch is currently available for affected Golang and Django deployments.

Golang Django Plane
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28223 PyPI MEDIUM PATCH This Month

Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript through specially-crafted page titles that executes when other admins perform translation actions, potentially compromising their credentials. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, and requires admin-level access to exploit, limiting exposure to internal threats. Patches are available for all affected versions.

Django XSS Wagtail
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-28222 PyPI MEDIUM PATCH This Month

Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class attributes that execute arbitrary JavaScript when pages are viewed by other users. An attacker could exploit this to perform administrative actions or steal credentials from higher-privileged users viewing the compromised content. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, with patches now available.

Django XSS Wagtail
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-27982 PyPI MEDIUM PATCH This Month

Allauth versions up to 65.14.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Django Open Redirect Allauth Red Hat
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25674 PyPI LOW PATCH Monitor

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. [CVSS 3.7 LOW]

Golang Django Race Condition
NVD VulDB HeroDevs
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-25673 PyPI HIGH PATCH This Week

Django URL field validation triggers excessive Unicode normalization on Windows when processing certain malicious Unicode characters, enabling remote attackers to cause denial of service through crafted URL inputs. Affected versions include Django 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29, with potential impact to unsupported series 5.0.x, 4.1.x, and 3.2.x. A patch is available for all affected supported versions.

Python Django Denial Of Service Microsoft
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-2250 HIGH This Week

METIS WIC devices expose an unauthenticated /dbviewer/ endpoint that permits remote attackers to directly access and export internal SQLite databases containing sensitive operational telemetry. The affected Golang and Django applications run with debug mode enabled, causing error responses to leak backend source code, local file paths, and system configuration details. No patch is currently available.

Golang Django SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25526 Maven CRITICAL PATCH Act Now

JinJava template engine has a server-side template injection vulnerability enabling arbitrary code execution through crafted Jinja-style templates.

Java Golang Django Jinjava
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25517 PyPI LOW PATCH Monitor

Wagtail is an open source content management system built on Django. [CVSS 2.7 LOW]

Django
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-1312 PyPI MEDIUM PATCH This Month

SQL injection in Django's QuerySet.order_by() method allows authenticated attackers to execute arbitrary SQL commands through specially crafted column aliases containing periods when used with FilteredRelation and dictionary expansion. This vulnerability affects Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, with potentially older unsupported versions also impacted. Patches are available for all affected versions.

Django SQLi Python
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1287 PyPI MEDIUM PATCH GHSA This Month

SQL injection via FilteredRelation column aliases in Django 4.2, 5.2, and 6.0 allows authenticated attackers to execute arbitrary SQL queries through crafted dictionary arguments in QuerySet methods like annotate() and aggregate(). An attacker with database access can exploit control characters in alias names to bypass input validation and potentially extract sensitive data or modify database contents. Patches are available for all affected versions, and unsupported Django releases may also be vulnerable.

Django SQLi Python
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1285 PyPI HIGH PATCH This Week

Django's HTML truncation functions (chars(), words(), and related template filters) are vulnerable to denial-of-service attacks when processing specially crafted inputs with excessive unmatched HTML end tags. Affected versions include Django 6.0 before 6.0.2, 5.2 before 5.2.11, 4.2 before 4.2.28, and potentially unsupported series 5.0.x, 4.1.x, and 3.2.x. Remote attackers can exploit this to cause service disruptions without requiring authentication or user interaction.

Django Red Hat Suse
NVD HeroDevs
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1207 PyPI MEDIUM POC PATCH GHSA This Month

SQL injection in Django's PostGIS RasterField lookups allows authenticated attackers to execute arbitrary SQL commands through the band index parameter in affected versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Unsupported Django series including 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. A patch is available and authentication is required to exploit this vulnerability.

Django SQLi Python
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
5.5%
CVE-2025-14550 PyPI HIGH PATCH This Week

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. [CVSS 7.5 HIGH]

Golang Django Red Hat Suse
NVD HeroDevs
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13473 PyPI MEDIUM PATCH This Month

Django versions up to 6.0.2 contains a vulnerability that allows attackers to enumerate users via a timing attack (CVSS 5.3).

Golang Django Red Hat Suse
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-64460 PyPI HIGH PATCH This Week

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Information Disclosure Python Ubuntu Debian Django +2
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13372 PyPI MEDIUM PATCH This Month

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

SQLi PostgreSQL Python Ubuntu Debian +3
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64459 PyPI CRITICAL POC PATCH GHSA Act Now

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Python Django Red Hat Suse
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-64458 PyPI HIGH PATCH GHSA This Month

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Python Django Windows +2
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-59682 PyPI LOW PATCH Monitor

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Python Path Traversal Ubuntu Debian Django
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-59681 PyPI HIGH PATCH GHSA This Week

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

SQLi Python Ubuntu Debian Django +2
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-57833 PyPI HIGH POC PATCH GHSA This Week

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Python SQLi Django Red Hat Suse
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48432 PyPI MEDIUM PATCH This Month

A security vulnerability in Django 5.2 (CVSS 4.0) that allows remote attackers. Remediation should follow standard vulnerability management procedures.

Python Code Injection Ubuntu Debian Django +3
NVD GitHub
CVSS 3.1
4.0
EPSS
0.1%
CVE-2025-32873 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django Red Hat Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-27556 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Python Denial Of Service Django Windows +2
NVD
CVSS 3.1
5.8
EPSS
0.2%
CVE-2025-26699 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Denial Of Service Django Debian Linux Red Hat +1
NVD
CVSS 3.1
5.0
EPSS
1.6%
CVE-2024-56374 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django Debian Linux Red Hat +1
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2024-24680 PyPI HIGH PATCH This Week

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2024-22199 Go CRITICAL PATCH This Week

This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Django
NVD GitHub
CVSS 3.1
9.3
EPSS
1.4%
CVE-2023-43665 PyPI HIGH PATCH This Week

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Django Fedora
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-41164 PyPI HIGH PATCH This Week

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django Fedora
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-46695 PyPI HIGH PATCH This Week

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Python Denial Of Service Microsoft Django
NVD
CVSS 3.1
7.5
EPSS
49.8%
CVE-2023-36053 PyPI HIGH PATCH This Week

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Django Debian Linux Fedora
NVD
CVSS 3.1
7.5
EPSS
3.0%
CVE-2023-31047 PyPI CRITICAL PATCH Act Now

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Authentication Bypass Django Fedora
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-24580 PyPI HIGH PATCH This Week

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Django Debian Linux
NVD
CVSS 3.1
7.5
EPSS
62.6%
CVE-2023-23969 PyPI HIGH PATCH This Week

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Python Denial Of Service Django Debian Linux
NVD
CVSS 3.1
7.5
EPSS
47.1%
CVE-2022-41323 PyPI HIGH PATCH This Week

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Django
NVD GitHub
CVSS 3.1
7.5
EPSS
2.7%
CVE-2022-36359 PyPI HIGH PATCH This Week

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Python Django Debian Linux
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-34265 PyPI CRITICAL POC PATCH THREAT Act Now

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Python Django
NVD
CVSS 3.1
9.8
EPSS
73.3%
CVE-2022-28347 PyPI CRITICAL PATCH Act Now

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Python Django Debian Linux
NVD
CVSS 3.1
9.8
EPSS
2.9%
CVE-2022-28346 PyPI CRITICAL PATCH Act Now

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Python Django Debian Linux
NVD
CVSS 3.1
9.8
EPSS
18.5%
CVE-2021-44420 PyPI HIGH PATCH This Week

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Authentication Bypass Django Satellite Debian Linux +2
NVD
CVSS 3.1
7.3
EPSS
2.3%
CVE-2021-35042 PyPI CRITICAL POC PATCH THREAT Act Now

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Python Django Fedora
NVD
CVSS 3.1
9.8
EPSS
44.4%
CVE-2021-33571 PyPI HIGH PATCH This Week

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Python SSRF Django Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
3.1%
CVE-2021-33203 PyPI MEDIUM PATCH This Month

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django Fedora
NVD
CVSS 3.1
4.9
EPSS
2.7%
CVE-2021-32052 PyPI MEDIUM PATCH This Month

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Django Fedora
NVD
CVSS 3.1
6.1
EPSS
3.1%
CVE-2021-31542 PyPI HIGH PATCH This Week

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
5.3%
CVE-2021-28658 PyPI MEDIUM PATCH This Month

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal Django Debian Linux Fedora
NVD
CVSS 3.1
5.3
EPSS
3.9%
CVE-2021-23336 MEDIUM POC PATCH THREAT This Month

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Request Smuggling Python Information Disclosure Fedora Debian Linux +9
NVD GitHub
CVSS 3.1
5.9
EPSS
36.0%
CVE-2021-3281 PyPI MEDIUM PATCH This Month

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django Fedora Snapcenter
NVD
CVSS 3.1
5.3
EPSS
7.6%
CVE-2020-24584 PyPI HIGH PATCH This Week

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Django Ubuntu Linux Fedora +1
NVD
CVSS 3.1
7.5
EPSS
3.3%
CVE-2020-24583 PyPI HIGH PATCH This Week

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Django Ubuntu Linux Fedora +1
NVD
CVSS 3.1
7.5
EPSS
4.0%
CVE-2020-13596 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Python Django Fedora Ubuntu Linux +4
NVD
CVSS 3.1
6.1
EPSS
2.9%
CVE-2020-13254 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Python Information Disclosure Django Ubuntu Linux Fedora +4
NVD
CVSS 3.1
5.9
EPSS
6.1%
CVE-2020-9402 PyPI HIGH POC PATCH THREAT This Week

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Python SQLi Oracle Django Debian Linux +3
NVD
CVSS 3.1
8.8
EPSS
22.5%
CVE-2020-7471 PyPI CRITICAL PATCH Act Now

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python SQLi PostgreSQL Django
NVD GitHub
CVSS 3.1
9.8
EPSS
65.3%
CVE-2019-19844 PyPI CRITICAL POC PATCH THREAT Act Now

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Django Ubuntu Linux
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
34.8%
CVE-2019-19118 PyPI MEDIUM PATCH This Month

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Django Fedora
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2019-14234 PyPI CRITICAL PATCH Act Now

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PostgreSQL Python Django Fedora +1
NVD
CVSS 3.0
9.8
EPSS
47.7%
CVE-2019-14235 PyPI HIGH PATCH This Week

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django Leap
NVD
CVSS 3.0
7.5
EPSS
3.1%
CVE-2019-14233 PyPI HIGH PATCH This Week

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Python Django Leap
NVD
CVSS 3.0
7.5
EPSS
3.2%
CVE-2019-14232 PyPI HIGH PATCH This Week

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Python Django Leap
NVD
CVSS 3.1
7.5
EPSS
3.5%
CVE-2019-12781 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django Ubuntu Linux Debian Linux
NVD
CVSS 3.0
5.3
EPSS
1.7%
CVE-2019-12308 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Python Django
NVD
CVSS 3.0
6.1
EPSS
2.6%
CVE-2019-6975 PyPI HIGH PATCH This Week

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format(). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Python Django Ubuntu Linux Fedora
NVD
CVSS 3.0
7.5
EPSS
5.4%
CVE-2019-3498 PyPI MEDIUM PATCH This Month

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django Debian Linux Ubuntu Linux +1
NVD
CVSS 3.0
6.5
EPSS
3.7%
CVE-2018-16984 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Python Django
NVD
CVSS 3.0
4.9
EPSS
2.0%
CVE-2018-14574 PyPI MEDIUM POC PATCH THREAT This Month

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Open Redirect Django Debian Linux Ubuntu Linux
NVD
CVSS 3.0
6.1
EPSS
25.5%
CVE-2018-7537 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Python Ubuntu Linux Django Debian Linux
NVD
CVSS 3.0
5.3
EPSS
4.6%
CVE-2018-7536 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Python Ubuntu Linux Django Debian Linux +1
NVD GitHub
CVSS 3.0
5.3
EPSS
4.8%
CVE-2018-6188 PyPI HIGH PATCH This Week

django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python Django Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
4.9%
CVE-2017-12794 PyPI MEDIUM POC PATCH THREAT This Month

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 21.0%.

XSS Python Django
NVD
CVSS 3.0
6.1
EPSS
21.0%
CVE-2017-7234 PyPI MEDIUM PATCH This Month

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Django
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-7233 PyPI MEDIUM PATCH This Month

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

XSS Open Redirect Python Django
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2016-9014 PyPI HIGH PATCH This Week

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Python Privilege Escalation Fedora Ubuntu Linux Django
NVD
CVSS 3.0
8.1
EPSS
3.0%
CVE-2016-9013 PyPI CRITICAL PATCH Act Now

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Oracle Python Authentication Bypass Django Ubuntu Linux +1
NVD
CVSS 3.0
9.8
EPSS
1.8%
CVE-2016-7401 PyPI HIGH PATCH This Week

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Python Google Ubuntu Linux Django +1
NVD
CVSS 3.0
7.5
EPSS
4.4%
CVE-2016-6186 PyPI MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.1%.

XSS Python Debian Linux Django
NVD GitHub Exploit-DB
CVSS 3.0
6.1
EPSS
13.1%
CVE-2016-2513 PyPI LOW PATCH Monitor

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django
NVD GitHub
CVSS 3.0
3.1
EPSS
1.2%
CVE-2016-2512 PyPI HIGH PATCH This Week

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Python Django
NVD GitHub
CVSS 3.0
7.4
EPSS
1.2%
CVE-2016-2048 PyPI MEDIUM PATCH This Month

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity.

Python Authentication Bypass Django
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2015-8213 PyPI MEDIUM PATCH This Month

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django
NVD GitHub
CVSS 2.0
5.0
EPSS
3.0%
CVE-2015-5964 PyPI MEDIUM PATCH This Month

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django Ubuntu Linux Solaris
NVD
CVSS 2.0
5.0
EPSS
4.4%
CVE-2015-5963 PyPI MEDIUM PATCH This Month

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django Solaris Ubuntu Linux
NVD
CVSS 2.0
5.0
EPSS
5.2%
CVE-2015-5145 PyPI HIGH PATCH This Week

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django
NVD
CVSS 2.0
7.8
EPSS
0.8%
CVE-2015-5144 PyPI MEDIUM PATCH This Month

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Python Code Injection Ubuntu Linux Django Debian Linux +1
NVD
CVSS 2.0
4.3
EPSS
2.2%
CVE-2015-5143 PyPI HIGH PATCH Act Now

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 15.8%.

Denial Of Service Python Django Debian Linux Solaris +1
NVD
CVSS 2.0
7.8
EPSS
15.8%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Header injection in Django's DomainNameValidator allows network attackers to inject arbitrary HTTP response headers when applications pass validator-accepted domain values directly into HTTP responses, affecting Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The validator silently accepts embedded newline characters in domain name strings, enabling HTTP response splitting that can facilitate session hijacking, open redirects, or cross-site scripting against end users. No public exploit code or CISA KEV listing exists at time of analysis; practical risk is narrowed significantly by Django's HttpResponse class independently rejecting newlines, meaning only non-standard code paths are exploitable.

Code Injection Python Django
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Memory over-read in Django's GIS module allows unauthenticated remote attackers to potentially disclose adjacent heap memory or degrade service availability via a segmentation fault. The `django.contrib.gis.gdal.GDALRaster` class fails to correctly bound its read when constructed from a bytes object, exposing raw memory when the `vsi_buffer` property is subsequently accessed. Affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16; no public exploit identified at time of analysis and not listed in CISA KEV.

Python Information Disclosure Django
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cache poisoning in Django's UpdateCacheMiddleware and cache_page() decorator exposes private user data to unauthenticated remote attackers by incorrectly serving cached responses across different cookie contexts. Versions 6.0 before 6.0.7 and 5.2 before 5.2.16 are confirmed affected; older unsupported branches (5.0.x, 4.1.x, 3.2.x) were not evaluated but may share the flaw. No public exploit or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects meaningful preconditions, though the data-disclosure consequence for applications serving personalized, cookie-gated content through a shared cache is concrete.

Python Information Disclosure Django
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can enumerate workspace members and harvest sensitive information including email addresses, user roles, and internal identifiers from Plane prior to version 1.2.2 due to misconfigured Django REST Framework permissions. The vulnerability requires no authentication or user interaction and allows remote attackers to directly access protected endpoints over the network. No patch is currently available for affected Golang and Django deployments.

Golang Django Plane
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript through specially-crafted page titles that executes when other admins perform translation actions, potentially compromising their credentials. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, and requires admin-level access to exploit, limiting exposure to internal threats. Patches are available for all affected versions.

Django XSS Wagtail
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class attributes that execute arbitrary JavaScript when pages are viewed by other users. An attacker could exploit this to perform administrative actions or steal credentials from higher-privileged users viewing the compromised content. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, with patches now available.

Django XSS Wagtail
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Allauth versions up to 65.14.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Django Open Redirect Allauth +1
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. [CVSS 3.7 LOW]

Golang Django Race Condition
NVD VulDB HeroDevs
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Django URL field validation triggers excessive Unicode normalization on Windows when processing certain malicious Unicode characters, enabling remote attackers to cause denial of service through crafted URL inputs. Affected versions include Django 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29, with potential impact to unsupported series 5.0.x, 4.1.x, and 3.2.x. A patch is available for all affected supported versions.

Python Django Denial Of Service +1
NVD VulDB HeroDevs
EPSS 0% CVSS 7.5
HIGH This Week

METIS WIC devices expose an unauthenticated /dbviewer/ endpoint that permits remote attackers to directly access and export internal SQLite databases containing sensitive operational telemetry. The affected Golang and Django applications run with debug mode enabled, causing error responses to leak backend source code, local file paths, and system configuration details. No patch is currently available.

Golang Django SQLi
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

JinJava template engine has a server-side template injection vulnerability enabling arbitrary code execution through crafted Jinja-style templates.

Java Golang Django +1
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Wagtail is an open source content management system built on Django. [CVSS 2.7 LOW]

Django
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

SQL injection in Django's QuerySet.order_by() method allows authenticated attackers to execute arbitrary SQL commands through specially crafted column aliases containing periods when used with FilteredRelation and dictionary expansion. This vulnerability affects Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, with potentially older unsupported versions also impacted. Patches are available for all affected versions.

Django SQLi Python
NVD HeroDevs VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

SQL injection via FilteredRelation column aliases in Django 4.2, 5.2, and 6.0 allows authenticated attackers to execute arbitrary SQL queries through crafted dictionary arguments in QuerySet methods like annotate() and aggregate(). An attacker with database access can exploit control characters in alias names to bypass input validation and potentially extract sensitive data or modify database contents. Patches are available for all affected versions, and unsupported Django releases may also be vulnerable.

Django SQLi Python
NVD HeroDevs VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Django's HTML truncation functions (chars(), words(), and related template filters) are vulnerable to denial-of-service attacks when processing specially crafted inputs with excessive unmatched HTML end tags. Affected versions include Django 6.0 before 6.0.2, 5.2 before 5.2.11, 4.2 before 4.2.28, and potentially unsupported series 5.0.x, 4.1.x, and 3.2.x. Remote attackers can exploit this to cause service disruptions without requiring authentication or user interaction.

Django Red Hat Suse
NVD HeroDevs
EPSS 5% CVSS 5.4
MEDIUM POC PATCH This Month

SQL injection in Django's PostGIS RasterField lookups allows authenticated attackers to execute arbitrary SQL commands through the band index parameter in affected versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Unsupported Django series including 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. A patch is available and authentication is required to exploit this vulnerability.

Django SQLi Python
NVD HeroDevs VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. [CVSS 7.5 HIGH]

Golang Django Red Hat +1
NVD HeroDevs
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Django versions up to 6.0.2 contains a vulnerability that allows attackers to enumerate users via a timing attack (CVSS 5.3).

Golang Django Red Hat +1
NVD HeroDevs
EPSS 0% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Information Disclosure Python Ubuntu +4
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

SQLi PostgreSQL Python +5
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Python Django +2
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH PATCH This Month

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Python +4
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Python Path Traversal Ubuntu +2
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

SQLi Python Ubuntu +4
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Python SQLi Django +2
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

A security vulnerability in Django 5.2 (CVSS 4.0) that allows remote attackers. Remediation should follow standard vulnerability management procedures.

Python Code Injection Ubuntu +5
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django +2
NVD
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Python Denial Of Service +4
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Denial Of Service Django +3
NVD
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django +3
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django
NVD
EPSS 1% CVSS 9.3
CRITICAL PATCH This Week

This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Django
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Django +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django +1
NVD
EPSS 50% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Python Denial Of Service Microsoft +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Django +2
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Authentication Bypass Django +1
NVD
EPSS 63% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Django +1
NVD
EPSS 47% CVSS 7.5
HIGH PATCH This Week

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Python Denial Of Service Django +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Django
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Python Django +1
NVD
EPSS 73% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Python Django
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Python Django +1
NVD
EPSS 19% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Python Django +1
NVD
EPSS 2% CVSS 7.3
HIGH PATCH This Week

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Authentication Bypass Django +4
NVD
EPSS 44% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Python Django +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Python SSRF Django +1
NVD GitHub
EPSS 3% CVSS 4.9
MEDIUM PATCH This Month

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django +1
NVD
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Django +1
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django +2
NVD GitHub
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal Django +2
NVD
EPSS 36% CVSS 5.9
MEDIUM POC PATCH THREAT This Month

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Request Smuggling Python Information Disclosure +11
NVD GitHub
EPSS 8% CVSS 5.3
MEDIUM PATCH This Month

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django +2
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Django +3
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Django +3
NVD
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Python Django +6
NVD
EPSS 6% CVSS 5.9
MEDIUM PATCH This Month

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Python Information Disclosure Django +6
NVD
EPSS 23% CVSS 8.8
HIGH POC PATCH THREAT This Week

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Python SQLi Oracle +5
NVD
EPSS 65% CVSS 9.8
CRITICAL PATCH Act Now

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python SQLi PostgreSQL +1
NVD GitHub
EPSS 35% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Django +1
NVD Exploit-DB
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Django +1
NVD
EPSS 48% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PostgreSQL Python +3
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Python Django +1
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Python Django +1
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django +2
NVD
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Python Django
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format(). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Python Django +2
NVD
EPSS 4% CVSS 6.5
MEDIUM PATCH This Month

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django +3
NVD
EPSS 2% CVSS 4.9
MEDIUM PATCH This Month

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Python Django
NVD
EPSS 25% CVSS 6.1
MEDIUM POC PATCH THREAT This Month

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Open Redirect Django +2
NVD
EPSS 5% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Python Ubuntu Linux +2
NVD
EPSS 5% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Python Ubuntu Linux +3
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python Django +1
NVD
EPSS 21% CVSS 6.1
MEDIUM POC PATCH THREAT This Month

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 21.0%.

XSS Python Django
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Django
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

XSS Open Redirect Python +1
NVD
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Python Privilege Escalation Fedora +2
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Oracle Python Authentication Bypass +3
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Python Google +3
NVD
EPSS 13% CVSS 6.1
MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.1%.

XSS Python Debian Linux +1
NVD GitHub Exploit-DB
EPSS 1% CVSS 3.1
LOW PATCH Monitor

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django
NVD GitHub
EPSS 1% CVSS 7.4
HIGH PATCH This Week

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Python Django
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity.

Python Authentication Bypass Django
NVD
EPSS 3% CVSS 5.0
MEDIUM PATCH This Month

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django
NVD GitHub
EPSS 4% CVSS 5.0
MEDIUM PATCH This Month

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django +2
NVD
EPSS 5% CVSS 5.0
MEDIUM PATCH This Month

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django +2
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Python Code Injection Ubuntu Linux +3
NVD
EPSS 16% CVSS 7.8
HIGH PATCH Act Now

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 15.8%.

Denial Of Service Python Django +3
NVD
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy