Debian Python-Django vulnerabilities
140 known vulnerabilities affecting debian/python-django.
Total CVEs
140
CISA KEV
0
Public exploits
8
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH40MEDIUM73LOW16
Vulnerabilities
Page 4 of 7
CVE-2007-0404P3HIGHCVSS 7.5fixed in python-django 0.95.1-1 (bookworm)2007
CVE-2007-0404 [HIGH] CVE-2007-0404: python-django - bin/compile-messages.py in Django 0.95 does not quote argument strings before in...
bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.
Scope: local
bookworm: resolved (fixed in 0.95.1-1)
bullseye: resolved (fixed in 0.95.1-1)
forky: resolved (fixed in 0
debian
CVE-2024-41990P3HIGHCVSS 7.5fixed in python-django 3:4.2.15-1 (forky)2024
CVE-2024-41990 [HIGH] CVE-2024-41990: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The ur...
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3:4.2.15-1)
sid: resolved (fixed in 3:4.2.15-1)
trixie: r
debian
CVE-2014-0472P3MEDIUMCVSS 5.1fixed in python-django 1.6.3-1 (bookworm)2014
CVE-2014-0472 [MEDIUM] CVE-2014-0472: python-django - The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x bef...
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
Scope: local
bookworm: resolved (fixed in 1.6.3-1)
bullseye: reso
debian
CVE-2016-2512P3HIGHCVSS 7.4fixed in python-django 1.9.4-1 (bookworm)2016
CVE-2016-2512 [HIGH] CVE-2016-2512: python-django - The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9...
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Scope: local
bookworm: resolv
debian
CVE-2025-32873P4MEDIUMCVSS 5.3fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2025
CVE-2025-32873 [MEDIUM] CVE-2025-32873: python-django - An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 b...
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of st
debian
CVE-2020-13254P3MEDIUMCVSS 5.9fixed in python-django 2:2.2.13-1 (bookworm)2020
CVE-2020-13254 [MEDIUM] CVE-2020-13254: python-django - An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cas...
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
Scope: local
bookworm: resolved (fixed in 2:2.2.13-1)
bullseye: resolved (fixed in 2:2.2.13-1)
forky: resolved (fixed in 2:2.2.1
debian
CVE-2025-13473P3MEDIUMCVSS 5.3fixed in python-django 3:3.2.25-0+deb12u2 (bookworm)2025
CVE-2025-13473 [MEDIUM] CVE-2025-13473: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be af
debian
CVE-2024-41989P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2024
CVE-2024-41989 [HIGH] CVE-2024-41989: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The fl...
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u11)
forky:
debian
CVE-2024-38875P3HIGHCVSS 7.5fixed in python-django 3:4.2.14-1 (forky)2024
CVE-2024-38875 [HIGH] CVE-2024-38875: python-django - An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize...
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3:4.2.14-1)
sid: resolved (fixed in 3:4.2.14-1)
trixie: resolved (fixed in 3:4.2.14-1)
debian
CVE-2024-41991P3HIGHCVSS 7.5fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2024
CVE-2024-41991 [HIGH] CVE-2024-41991: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The ur...
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed
debian
CVE-2025-26699P3MEDIUMCVSS 5.0fixed in python-django 3:3.2.25-0+deb12u1 (bookworm)2025
CVE-2025-26699 [MEDIUM] CVE-2025-26699: python-django - An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 b...
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u6)
fork
debian
CVE-2019-19118P4MEDIUMCVSS 6.5fixed in python-django 2:2.2.8-1 (bookworm)2019
CVE-2019-19118 [MEDIUM] CVE-2019-19118: python-django - Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A...
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only
debian
CVE-2021-28658P4MEDIUMCVSS 5.3fixed in python-django 2:2.2.20-1 (bookworm)2021
CVE-2021-28658 [MEDIUM] CVE-2021-28658: python-django - In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartP...
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
Scope: local
bookworm: resolved (fixed in 2:2.2.20-1)
bullseye: resolved (fixed in 2:2.2.20-1)
forky: resolved (fixed in 2:2.2.
debian
CVE-2013-1665P4MEDIUMCVSS 5.0fixed in keystone 2012.1.1-13 (bookworm)2013
CVE-2013-1665 [MEDIUM] CVE-2013-1665: keystone - The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenSt...
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
Scope: local
bookworm: resolved (fixed in 2012.1.1-1
debian
CVE-2019-3498P4MEDIUMCVSS 6.5fixed in python-django 1:1.11.18-1 (bookworm)2019
CVE-2019-3498 [MEDIUM] CVE-2019-3498: python-django - In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an...
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
Scope: local
bookwo
debian
CVE-2019-12308P4MEDIUMCVSS 6.1fixed in python-django 1:1.11.21-1 (bookworm)2019
CVE-2019-12308 [MEDIUM] CVE-2019-12308: python-django - An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2...
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickab
debian
CVE-2021-33203P4MEDIUMCVSS 4.9fixed in python-django 2:2.2.24-1 (bookworm)2021
CVE-2021-33203 [MEDIUM] CVE-2021-33203: python-django - Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential ...
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file content
debian
CVE-2015-0219P4MEDIUMCVSS 5.0fixed in python-django 1.7.1-1.1 (bookworm)2015
CVE-2015-0219 [MEDIUM] CVE-2015-0219: python-django - Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote ...
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
Scope: local
bookworm: resolved (fixed in 1.7.1-1.1)
bullseye: resolved (fixed in 1.7.1-1.1)
forky: resolved (fixed in 1
debian
CVE-2018-7536P4MEDIUMCVSS 5.3fixed in python-django 1:1.11.11-1 (bookworm)2018
CVE-2018-7536 [MEDIUM] CVE-2018-7536: python-django - An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8...
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize an
debian
CVE-2018-7537P4MEDIUMCVSS 5.3fixed in python-django 1:1.11.11-1 (bookworm)2018
CVE-2018-7537 [MEDIUM] CVE-2018-7537: python-django - An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8...
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to
debian