CVE-2026-31815
published 2026-03-10CVE-2026-31815: Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.21%
11.2th percentile
Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| django-commons | django-unicorn | < 0.67.0 | 0.67.0 |
| django-commons | django-unicorn | >= 0 < 0.67.0 | 0.67.0 |
| django-unicorn | unicorn | < 0.67.0 | 0.67.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
django-unicorn affected by component state manipulation via unvalidated attribute access
osv·2026-03-11
CVE-2026-31815 [MEDIUM] django-unicorn affected by component state manipulation via unvalidated attribute access
django-unicorn affected by component state manipulation via unvalidated attribute access
## Summary
Component state manipulation is possible in `django-unicorn` due to missing access control checks during property updates and method calls. An attacker can bypass the intended `_is_public` protection to modify internal attributes such as `template_name` or trigger protected methods.
## Vulnerability Details: Component Access Control Bypass
Security analysis identified that the framework fails to enforce visibility boundaries defined by `_is_public` within the action parsers. Specifically, the logic in `set_property_value()` and `_call_method_name()` utilizes `getattr` and `setattr` directly on component instances without verifying if the target attribute or method is explicitly marked as p
GHSA
django-unicorn affected by component state manipulation via unvalidated attribute access
ghsa·2026-03-11
CVE-2026-31815 [MEDIUM] CWE-284 django-unicorn affected by component state manipulation via unvalidated attribute access
django-unicorn affected by component state manipulation via unvalidated attribute access
## Summary
Component state manipulation is possible in `django-unicorn` due to missing access control checks during property updates and method calls. An attacker can bypass the intended `_is_public` protection to modify internal attributes such as `template_name` or trigger protected methods.
## Vulnerability Details: Component Access Control Bypass
Security analysis identified that the framework fails to enforce visibility boundaries defined by `_is_public` within the action parsers. Specifically, the logic in `set_property_value()` and `_call_method_name()` utilizes `getattr` and `setattr` directly on component instances without verifying if the target attribute or method is explicitly marked as p
No detection rules found.
No public exploits indexed.
2026-03-10
Published