cbcvebase.
CVE-2026-4277
published 2026-04-07

CVE-2026-4277: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on…

PriorityP352critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.46%
36.4th percentile
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 3:4.2.30-1 (sid)python-django 3:4.2.30-1 (sid)
djangoprojectdjango>= 4.2 < 4.2.304.2.30
djangoprojectdjango>= 4.2 < 4.2.304.2.30
djangoprojectdjango>= 5.2 < 5.2.135.2.13
djangoprojectdjango>= 5.2 < 5.2.135.2.13
djangoprojectdjango>= 6.0 < 6.0.46.0.4
djangoprojectdjango>= 6.0 < 6.0.46.0.4

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.