Debian Python-Django vulnerabilities
140 known vulnerabilities affecting debian/python-django.
Total CVEs
140
CISA KEV
0
Public exploits
8
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH40MEDIUM73LOW16
Vulnerabilities
Page 3 of 7
CVE-2025-59682P3LOWCVSS 3.1fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2025
CVE-2025-59682 [LOW] CVE-2025-59682: python-django - An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 ...
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Scope: local
bookworm: resolved (
debian
CVE-2026-1285P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u2 (bookworm)2026
CVE-2026-1285 [HIGH] CVE-2026-1285: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatc
debian
CVE-2024-56374P3MEDIUMCVSS 5.8fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2024
CVE-2024-56374 [MEDIUM] CVE-2024-56374: python-django - An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 b...
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.Gen
debian
CVE-2021-45116P3HIGHCVSS 7.5fixed in python-django 2:3.2.11-1 (bookworm)2021
CVE-2021-45116 [HIGH] CVE-2021-45116: python-django - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 ...
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
Scope: local
bookworm: resolved (fixed in 2:3
debian
CVE-2022-36359P3HIGHCVSS 8.8fixed in python-django 3:3.2.15-1 (bookworm)2022
CVE-2022-36359 [HIGH] CVE-2022-36359: python-django - An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2....
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Scope: local
bookworm: resolved (fixed in 3:3.2.15-1)
bullseye: resolved
debian
CVE-2019-14233P3HIGHCVSS 7.5fixed in python-django 2:2.2.4-1 (bookworm)2019
CVE-2019-14233 [HIGH] CVE-2019-14233: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
Scope: local
bookworm: resolved (fixed in 2:2.2.4-1)
bullseye: res
debian
CVE-2021-45115P3HIGHCVSS 7.5fixed in python-django 2:3.2.11-1 (bookworm)2021
CVE-2021-45115 [HIGH] CVE-2021-45115: python-django - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 ...
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for
debian
CVE-2026-33033P3MEDIUMCVSS 6.5fixed in python-django 3:4.2.30-1 (sid)2026
CVE-2026-33033 [MEDIUM] CVE-2026-33033: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
debian
CVE-2019-14235P3HIGHCVSS 7.5fixed in python-django 2:2.2.4-1 (bookworm)2019
CVE-2019-14235 [HIGH] CVE-2019-14235: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
Scope: local
bookworm: resolved (fixed in 2:2.2.4-1)
bullseye: resolved (fixed in 2:2.2.
debian
CVE-2022-41323P3HIGHCVSS 7.5fixed in python-django 3:3.2.16-1 (bookworm)2022
CVE-2022-41323 [HIGH] CVE-2022-41323: python-django - In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internation...
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
Scope: local
bookworm: resolved (fixed in 3:3.2.16-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u1)
forky: resolved (fixed in 3:3.2.16-1)
sid: res
debian
CVE-2023-36053P3HIGHCVSS 7.5fixed in python-django 3:3.2.19-1+deb12u1 (bookworm)2023
CVE-2023-36053 [HIGH] CVE-2023-36053: python-django - In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidat...
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
Scope: local
bookworm: resolved (fixed in 3:3.2.19-1+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u2)
forky:
debian
CVE-2023-43665P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2023
CVE-2023-43665 [HIGH] CVE-2023-43665: python-django - In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django...
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html an
debian
CVE-2012-4520P3MEDIUMCVSS 6.4fixed in python-django 1.4.2-1 (bookworm)2012
CVE-2012-4520 [MEDIUM] CVE-2012-4520: python-django - The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1...
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
Scope: local
bookworm: resolved (fixed in 1.4.2-1)
bullseye: resolved (fixed in 1.4.2-1)
forky: resolved (fixed in 1.4.2-1)
sid: resolved (fixed in
debian
CVE-2024-24680P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2024
CVE-2024-24680 [HIGH] CVE-2024-24680: python-django - An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Djan...
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u7)
forky: resolved (fixed in 3:4.2.10-
debian
CVE-2026-1312P3MEDIUMCVSS 5.4fixed in python-django 3:3.2.25-0+deb12u2 (bookworm)2026
CVE-2026-1312 [MEDIUM] CVE-2026-1312: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) we
debian
CVE-2026-1287P3MEDIUMCVSS 5.4fixed in python-django 3:3.2.25-0+deb12u2 (bookworm)2026
CVE-2026-1287 [MEDIUM] CVE-2026-1287: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `a
debian
CVE-2024-53907P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2024
CVE-2024-53907 [HIGH] CVE-2024-53907: python-django - An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 b...
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved
debian
CVE-2023-41164P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2023
CVE-2023-41164 [HIGH] CVE-2023-41164: python-django - In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.uti...
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u7)
forky: resolved (fixed
debian
CVE-2021-3281P3MEDIUMCVSS 5.3fixed in python-django 2:2.2.18-1 (bookworm)2021
CVE-2021-3281 [MEDIUM] CVE-2021-3281: python-django - In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django...
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
Scope: local
bookworm: resolved (fixed in 2:2.2.18-1)
bullseye: resolved (fixed in 2:2.2.18
debian
CVE-2015-5143P3HIGHCVSS 7.8fixed in python-django 1.7.9-1 (bookworm)2015
CVE-2015-5143 [HIGH] CVE-2015-5143: python-django - The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before ...
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
Scope: local
bookworm: resolved (fixed in 1.7.9-1)
bullseye: resolved (fixed in 1.7.9-1)
forky: resolved (fixed in 1.7.9-1)
s
debian