| CVE-2025-64459 |
unknown |
— |
1.0 |
|
|
|
7mo ago |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to… |
| CVE-2026-3902 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variant… |
| CVE-2026-4277 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of
forged `POST` data in `GenericInl… |
| CVE-2026-4292 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new
instances to be created via for… |
| CVE-2026-33034 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SI… |
| CVE-2026-33033 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-T… |
| CVE-2026-25673 |
unknown |
— |
— |
|
|
|
3mo ago |
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows t… |
| CVE-2026-25674 |
unknown |
— |
— |
|
|
|
3mo ago |
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file s… |
| CVE-2026-1312 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, … |
| CVE-2026-1287 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafte… |
| CVE-2026-1207 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the ba… |
| CVE-2025-13473 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows re… |
| CVE-2025-14550 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multipl… |
| CVE-2026-1285 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_… |
| CVE-2025-13372 |
unknown |
— |
— |
|
|
|
6mo ago |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dict… |
| CVE-2025-64460 |
unknown |
— |
— |
|
|
|
6mo ago |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to ca… |
| CVE-2025-64458 |
unknown |
— |
— |
|
|
|
7mo ago |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.h… |
| CVE-2025-59682 |
unknown |
— |
— |
|
|
|
8mo ago |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --templa… |
| CVE-2025-59681 |
unknown |
— |
— |
|
|
|
8mo ago |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL inje… |
| CVE-2025-57833 |
unknown |
— |
— |
|
|
|
9mo ago |
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with… |
| CVE-2025-27556 |
unknown |
— |
— |
|
|
|
1y ago |
An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.L… |
| CVE-2025-26699 |
unknown |
— |
— |
|
|
|
1y ago |
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-ser… |
| CVE-2024-56374 |
unknown |
— |
— |
|
|
|
1y ago |
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a p… |
| CVE-2024-53908 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subje… |
| CVE-2024-53907 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack… |
| CVE-2024-45230 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via ve… |
| CVE-2024-45231 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to… |
| CVE-2024-41989 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number i… |
| CVE-2024-41991 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service… |
| CVE-2024-41990 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs wit… |
| CVE-2024-42005 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a c… |
| CVE-2024-39330 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicati… |
| CVE-2024-39329 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing a… |
| CVE-2024-38875 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of br… |
| CVE-2024-39614 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings contain… |
| CVE-2024-27351 |
unknown |
— |
— |
|
|
|
2y ago |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a poten… |
| CVE-2024-24680 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with ve… |
| CVE-2023-43665 |
unknown |
— |
— |
|
|
|
3y ago |
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of … |
| CVE-2023-41164 |
unknown |
— |
— |
|
|
|
3y ago |
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large … |
| CVE-2023-46695 |
unknown |
— |
— |
|
|
|
3y ago |
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is s… |
| CVE-2022-36359 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-D… |
| CVE-2012-3442 |
unknown |
— |
— |
|
|
|
4y ago |
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which… |
| CVE-2009-3695 |
unknown |
— |
— |
|
|
|
4y ago |
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) Emai… |
| CVE-2009-2659 |
unknown |
— |
— |
|
|
|
4y ago |
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory trav… |
| CVE-2008-3909 |
unknown |
— |
— |
|
|
|
4y ago |
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to con… |
| CVE-2008-2302 |
unknown |
— |
— |
|
|
|
4y ago |
Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject… |
| CVE-2007-5712 |
unknown |
— |
— |
|
|
|
4y ago |
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows re… |
| CVE-2007-0405 |
unknown |
— |
— |
|
|
|
4y ago |
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different… |
| CVE-2007-0404 |
unknown |
— |
— |
|
|
|
4y ago |
bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shel… |
