CVE-2026-31815 — Improper Access Control in Django-unicorn

CWE-284 — Improper Access Control CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 72.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Django-commons Django-unicorn Django-unicorn Unicorn

Timeline

PublishedMar 10

Latest updateMar 11

Description

Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDdjango-unicorn/unicorn< 0.67.0

▶CVEListV5django-commons/django-unicorn< 0.67.0

▶PyPIdjango-commons/django-unicorn< 0.67.0

🔴Vulnerability Details

OSV

django-unicorn affected by component state manipulation via unvalidated attribute access↗2026-03-11

▶

GHSA

django-unicorn affected by component state manipulation via unvalidated attribute access↗2026-03-11

▶

🕵️Threat Intelligence

Wiz

CVE-2026-31815 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶