Debian Python-Django vulnerabilities
140 known vulnerabilities affecting debian/python-django.
Total CVEs
140
CISA KEV
0
Public exploits
8
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH40MEDIUM73LOW16
Vulnerabilities
Page 2 of 7
CVE-2024-39614P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2024
CVE-2024-39614 [HIGH] CVE-2024-39614: python-django - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_su...
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u11)
forky: resolved (fixed in
debian
CVE-2021-23336P3MEDIUMCVSS 5.9fixed in pypy3 7.3.3+dfsg-3 (bookworm)2021
CVE-2021-23336 [MEDIUM] CVE-2021-23336: pypy3 - The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.1...
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a diff
debian
CVE-2026-4277P3CRITICALCVSS 9.8fixed in python-django 3:4.2.30-1 (sid)2026
CVE-2026-4277 [CRITICAL] CVE-2026-4277: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec
debian
CVE-2024-45230P3HIGHCVSS 7.5fixed in python-django 3:4.2.16-1 (forky)2024
CVE-2024-45230 [HIGH] CVE-2024-45230: python-django - An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 be...
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3:4.2.16-1)
sid: resolved (fixed in 3:
debian
CVE-2016-7401P3LOWCVSS 7.5fixed in python-django 1:1.10-1 (bookworm)2016
CVE-2016-7401 [HIGH] CVE-2016-7401: python-django - The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when us...
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Scope: local
bookworm: resolved (fixed in 1:1.10-1)
bullseye: resolved (fixed in 1:1.10-1)
forky: resolved (fixed in 1:1.10-1)
sid: resolved (fixe
debian
CVE-2021-31542P3HIGHCVSS 7.5fixed in python-django 2:2.2.21-1 (bookworm)2021
CVE-2021-31542 [HIGH] CVE-2021-31542: python-django - In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartPa...
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
Scope: local
bookworm: resolved (fixed in 2:2.2.21-1)
bullseye: resolved (fixed in 2:2.2.21-1)
forky: resolved (fixed in 2:2.2.21-1)
sid: resolved (fixed in 2:2.2.21-1
debian
CVE-2016-9014P3HIGHCVSS 8.1fixed in python-django 1:1.10.3-1 (bookworm)2016
CVE-2016-9014 [HIGH] CVE-2016-9014: python-django - Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3...
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
Scope: local
bookworm: resolved (fixed in 1:1.10.3-1)
bullseye: resolved (fixed in 1:1.10.3-1)
forky: resolved
debian
CVE-2020-24583P3HIGHCVSS 7.5fixed in python-django 2:2.2.16-1 (bookworm)2020
CVE-2020-24583 [HIGH] CVE-2020-24583: python-django - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 ...
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic manag
debian
CVE-2021-33571P3HIGHCVSS 7.5fixed in python-django 2:2.2.24-1 (bookworm)2021
CVE-2021-33571 [HIGH] CVE-2021-33571: python-django - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidat...
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
Scope:
debian
CVE-2025-64460P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2025
CVE-2025-64460 [HIGH] CVE-2025-64460: python-django - An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4...
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsuppo
debian
CVE-2014-0474P3CRITICALCVSS 10.0fixed in python-django 1.6.3-1 (bookworm)2014
CVE-2014-0474 [CRITICAL] CVE-2014-0474: python-django - The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model f...
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Scope: local
bookworm: resolved
debian
CVE-2018-6188P3HIGHCVSS 7.5fixed in python-django 1:1.11.10-1 (bookworm)2018
CVE-2018-6188 [HIGH] CVE-2018-6188: python-django - django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.1...
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
Scope: local
bookworm: resolved (fixed in 1:1.11.10-1)
bullseye:
debian
CVE-2021-44420P3HIGHCVSS 7.3fixed in python-django 2:3.2.10-1 (bookworm)2021
CVE-2021-44420 [HIGH] CVE-2021-44420: python-django - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requ...
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Scope: local
bookworm: resolved (fixed in 2:3.2.10-1)
bullseye: resolved (fixed in 2:2.2.25-1~deb11u1)
forky: resolved (fixed in 2:3.2.10-1)
sid: resolved (fixed in 2:3.2.10-1)
trixie: res
debian
CVE-2026-33034P3HIGHCVSS 7.5fixed in python-django 3:4.2.30-1 (sid)2026
CVE-2026-33034 [HIGH] CVE-2026-33034: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.
debian
CVE-2024-42005P3HIGHCVSS 7.3fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2024
CVE-2024-42005 [HIGH] CVE-2024-42005: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QueryS...
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u11)
forky: res
debian
CVE-2026-3902P3HIGHCVSS 7.5fixed in python-django 3:4.2.30-1 (sid)2026
CVE-2026-3902 [HIGH] CVE-2026-3902: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated an
debian
CVE-2019-6975P3LOWCVSS 7.5fixed in python-django 1:1.11.20-1 (bookworm)2019
CVE-2019-6975 [HIGH] CVE-2019-6975: python-django - Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows...
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
Scope: local
bookworm: resolved (fixed in 1:1.11.20-1)
bullseye: resolved (fixed in 1:1.11.20-1)
forky: resolved (fixed in 1:1.11.20-1)
sid: resolved (fixed in
debian
CVE-2025-14550P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u2 (bookworm)2025
CVE-2025-14550 [HIGH] CVE-2025-14550: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank J
debian
CVE-2019-14232P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2019
CVE-2019-14232 [HIGH] CVE-2019-14232: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are u
debian
CVE-2020-24584P3HIGHCVSS 7.5fixed in python-django 2:2.2.16-1 (bookworm)2020
CVE-2020-24584 [HIGH] CVE-2020-24584: python-django - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 ...
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
Scope: local
bookworm: resolved (fixed in 2:2.2.16-1)
bullseye: resolved (fixed in 2:2.2.16-1)
forky: resolved (fixed in 2:2.2.16-1
debian