Debian Python-Django vulnerabilities
140 known vulnerabilities affecting debian/python-django.
Total CVEs
140
CISA KEV
0
Public exploits
8
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH40MEDIUM73LOW16
Vulnerabilities
Page 1 of 7
CVE-2026-1207P2MEDIUMCVSS 5.4ExploitedPoCfixed in python-django 3:3.2.25-0+deb12u2 (bookworm)2026
CVE-2026-1207 [MEDIUM] CVE-2026-1207: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ta
debian
CVE-2022-34265P1CRITICALCVSS 9.8PoCfixed in python-django 2:4.0.6-1 (bookworm)2022
CVE-2022-34265 [CRITICAL] CVE-2022-34265: python-django - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Tr...
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Scope: local
bookworm: resolved (fixed in 2:4.0.6-1)
bulls
debian
CVE-2019-19844P2CRITICALCVSS 9.8PoCfixed in python-django 2:2.2.9-1 (bookworm)2019
CVE-2019-19844 [CRITICAL] CVE-2019-19844: python-django - Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account tak...
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send pas
debian
CVE-2025-64459P2CRITICALCVSS 9.1PoCfixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2025
CVE-2025-64459 [CRITICAL] CVE-2025-64459: python-django - An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before ...
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5
debian
CVE-2020-9402P2LOWCVSS 8.8PoCfixed in python-django 2:2.2.11-1 (bookworm)2020
CVE-2020-9402 [HIGH] CVE-2020-9402: python-django - Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL I...
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Scope: local
bookworm: resolved (fixed
debian
CVE-2020-7471P2CRITICALCVSS 9.8fixed in python-django 2:2.2.10-1 (bookworm)2020
CVE-2020-7471 [CRITICAL] CVE-2020-7471: python-django - Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL I...
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was
debian
CVE-2019-14234P2CRITICALCVSS 9.8fixed in python-django 2:2.2.4-1 (bookworm)2019
CVE-2019-14234 [CRITICAL] CVE-2019-14234: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via craf
debian
CVE-2017-12794P3LOWCVSS 6.1PoCfixed in python-django 1:1.11.5-1 (bookworm)2017
CVE-2017-12794 [MEDIUM] CVE-2017-12794: python-django - In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was d...
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessibl
debian
CVE-2018-14574P3MEDIUMCVSS 6.1PoCfixed in python-django 1:1.11.15-1 (bookworm)2018
CVE-2018-14574 [MEDIUM] CVE-2018-14574: python-django - django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2....
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
Scope: local
bookworm: resolved (fixed in 1:1.11.15-1)
bullseye: resolved (fixed in 1:1.11.15-1)
forky: resolved (fixed in 1:1.11.15-1)
sid: resolved (fixed in 1:1.11.15-1)
trixie: resolved (fixed in 1:1.11.15-1)
debian
CVE-2022-28346P2CRITICALCVSS 9.8fixed in python-django 2:3.2.13-1 (bookworm)2022
CVE-2022-28346 [CRITICAL] CVE-2022-28346: python-django - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 ...
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
Scope: local
bookworm: resolved (fixed in 2:3.2.13-1)
bullseye: resolved (fixed in 2:2
debian
CVE-2025-57833P2HIGHCVSS 7.1fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2025
CVE-2025-57833 [HIGH] CVE-2025-57833: python-django - An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 ...
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: reso
debian
CVE-2023-24580P3HIGHCVSS 7.5fixed in python-django 3:3.2.18-1 (bookworm)2023
CVE-2023-24580 [HIGH] CVE-2023-24580: python-django - An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2...
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
Scope: local
bookworm: resolved (fi
debian
CVE-2022-23833P3HIGHCVSS 7.5fixed in python-django 2:3.2.12-1 (bookworm)2022
CVE-2022-23833 [HIGH] CVE-2022-23833: python-django - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 befo...
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Scope: local
bookworm: resolved (fixed in 2:3.2.12-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u1)
forky: resolved (fixed in 2:3.2.12-1)
sid: resolved
debian
CVE-2023-23969P3HIGHCVSS 7.5fixed in python-django 3:3.2.17-1 (bookworm)2023
CVE-2023-23969 [HIGH] CVE-2023-23969: python-django - In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed ...
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Scope: local
bookworm: resolved (fixed in 3:3.2.17-1)
bullseye
debian
CVE-2016-9013P3CRITICALCVSS 9.8fixed in python-django 1:1.10.3-1 (bookworm)2016
CVE-2016-9013 [CRITICAL] CVE-2016-9013: python-django - Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a ...
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
S
debian
CVE-2016-6186P3MEDIUMCVSS 6.1PoCfixed in python-django 1:1.9.8-1 (bookworm)2016
CVE-2016-6186 [MEDIUM] CVE-2016-6186: python-django - Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup ...
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Scope: local
bookwo
debian
CVE-2023-31047P3CRITICALCVSS 9.8fixed in python-django 3:3.2.19-1 (bookworm)2023
CVE-2023-31047 [CRITICAL] CVE-2023-31047: python-django - In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was poss...
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested o
debian
CVE-2024-53908P3LOWCVSS 9.8fixed in python-django 3:4.2.17-1 (forky)2024
CVE-2024-53908 [CRITICAL] CVE-2024-53908: python-django - An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 b...
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
Scope: local
bookwor
debian
CVE-2025-59681P3HIGHCVSS 7.1fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2025
CVE-2025-59681 [HIGH] CVE-2025-59681: python-django - An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 ...
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Scope
debian
CVE-2022-28347P3CRITICALCVSS 9.8fixed in python-django 2:3.2.13-1 (bookworm)2022
CVE-2022-28347 [CRITICAL] CVE-2022-28347: python-django - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before ...
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Scope: local
bookworm: resolved (fixed in 2:3.2.13-1)
bullseye: resolved (fix
debian
1 / 7Next →