| CVE-2019-19844 |
high |
— |
9.0 |
|
|
|
7y ago |
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of… |
| CVE-2016-9014 |
high |
8.1 |
8.1 |
|
|
|
4y ago |
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validat… |
| CVE-2023-36053 |
high |
— |
8.0 |
|
|
|
3y ago |
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large num… |
| CVE-2023-31047 |
high |
— |
8.0 |
|
|
|
3y ago |
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been suppo… |
| CVE-2023-24580 |
high |
— |
8.0 |
|
|
|
3y ago |
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart … |
| CVE-2023-23969 |
high |
— |
8.0 |
|
|
|
3y ago |
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-… |
| CVE-2022-41323 |
high |
— |
8.0 |
|
|
|
4y ago |
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regula… |
| CVE-2022-34265 |
high |
— |
8.0 |
|
|
|
4y ago |
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name val… |
| CVE-2021-35042 |
high |
— |
8.0 |
|
|
|
5y ago |
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. |
| CVE-2020-9402 |
high |
— |
8.0 |
|
|
|
6y ago |
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a sui… |
| CVE-2019-12781 |
high |
— |
8.0 |
|
|
|
7y ago |
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT set… |
| CVE-2015-5145 |
high |
— |
7.8 |
|
|
|
11y ago |
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. |
| CVE-2015-5143 |
high |
— |
7.8 |
|
|
|
11y ago |
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via mult… |
| CVE-2011-0698 |
high |
— |
7.5 |
|
|
|
8y ago |
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session … |
| CVE-2016-7401 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting … |
| CVE-2016-2512 |
high |
7.4 |
7.4 |
|
|
|
10y ago |
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cr… |
| CVE-2025-64459 |
unknown |
— |
1.0 |
|
|
|
7mo ago |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to… |
| CVE-2026-4292 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new
instances to be created via for… |
| CVE-2026-3902 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variant… |
| CVE-2026-4277 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of
forged `POST` data in `GenericInl… |
| CVE-2026-33033 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-T… |
| CVE-2026-33034 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SI… |
| CVE-2026-25674 |
unknown |
— |
— |
|
|
|
3mo ago |
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file s… |
| CVE-2026-25673 |
unknown |
— |
— |
|
|
|
3mo ago |
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows t… |
| CVE-2026-1312 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, … |
| CVE-2026-1287 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafte… |
| CVE-2026-1207 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the ba… |
| CVE-2025-13473 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows re… |
| CVE-2025-14550 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multipl… |
| CVE-2026-1285 |
unknown |
— |
— |
|
|
|
4mo ago |
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_… |
| CVE-2025-13372 |
unknown |
— |
— |
|
|
|
6mo ago |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dict… |
| CVE-2025-64460 |
unknown |
— |
— |
|
|
|
6mo ago |
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to ca… |
| CVE-2025-64458 |
unknown |
— |
— |
|
|
|
7mo ago |
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.h… |
| CVE-2025-59682 |
unknown |
— |
— |
|
|
|
8mo ago |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --templa… |
| CVE-2025-59681 |
unknown |
— |
— |
|
|
|
8mo ago |
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL inje… |
| CVE-2025-57833 |
unknown |
— |
— |
|
|
|
9mo ago |
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with… |
| CVE-2025-27556 |
unknown |
— |
— |
|
|
|
1y ago |
An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.L… |
| CVE-2025-26699 |
unknown |
— |
— |
|
|
|
1y ago |
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-ser… |
| CVE-2024-56374 |
unknown |
— |
— |
|
|
|
1y ago |
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a p… |
| CVE-2024-53908 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subje… |
| CVE-2024-53907 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack… |
| CVE-2024-45231 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to… |
| CVE-2024-45230 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via ve… |
| CVE-2024-42005 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a c… |
| CVE-2024-41989 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number i… |
| CVE-2024-41991 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service… |
| CVE-2024-41990 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs wit… |
| CVE-2024-38875 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of br… |
| CVE-2024-39614 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings contain… |
| CVE-2024-39330 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicati… |
| CVE-2024-39329 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing a… |
| CVE-2024-27351 |
unknown |
— |
— |
|
|
|
2y ago |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a poten… |
| CVE-2024-24680 |
unknown |
— |
— |
|
|
|
2y ago |
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with ve… |
| CVE-2023-43665 |
unknown |
— |
— |
|
|
|
3y ago |
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of … |
| CVE-2023-41164 |
unknown |
— |
— |
|
|
|
3y ago |
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large … |
| CVE-2023-46695 |
unknown |
— |
— |
|
|
|
3y ago |
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is s… |
| CVE-2022-36359 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-D… |
| CVE-2012-3442 |
unknown |
— |
— |
|
|
|
4y ago |
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which… |
| CVE-2009-3695 |
unknown |
— |
— |
|
|
|
4y ago |
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) Emai… |
| CVE-2009-2659 |
unknown |
— |
— |
|
|
|
4y ago |
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory trav… |
| CVE-2008-3909 |
unknown |
— |
— |
|
|
|
4y ago |
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to con… |
| CVE-2008-2302 |
unknown |
— |
— |
|
|
|
4y ago |
Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject… |
| CVE-2007-5712 |
unknown |
— |
— |
|
|
|
4y ago |
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows re… |
| CVE-2007-0405 |
unknown |
— |
— |
|
|
|
4y ago |
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different… |
| CVE-2007-0404 |
unknown |
— |
— |
|
|
|
4y ago |
bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shel… |
