Djangoproject Django vulnerabilities
158 known vulnerabilities affecting djangoproject/django.
Total CVEs
158
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH51MEDIUM87LOW6
Vulnerabilities
Page 1 of 8
CVE-2019-11358P2MEDIUMExploitedPoC≥ 2.0a1, < 2.1.9≥ 2.2a1, < 2.2.22019-04-26
CVE-2019-11358 [MEDIUM] CWE-1321 XSS in jQuery as used in Drupal, Backdrop CMS, and other products
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles `jQuery.extend(true, {}, ...)` because of `Object.prototype` pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype`.
ghsaosv
CVE-2026-1207P2MEDIUMCVSS 5.4ExploitedPoC≥ 4.2, < 4.2.28≥ 5.2, < 5.2.11+1 more2026-02-03
CVE-2026-1207 [MEDIUM] CWE-89 CVE-2026-1207: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookup
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to
ghsanvdosv
CVE-2022-34265P1CRITICALCVSS 9.8PoC≥ 3.2, < 3.2.14≥ 4.0, < 4.0.62022-07-04
CVE-2022-34265 [CRITICAL] CWE-89 CVE-2022-34265: An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract()
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
ghsanvdosv
CVE-2019-19844P2CRITICALCVSS 9.8PoCfixed in 1.11.27≥ 2.2, < 2.2.9+1 more2019-12-18
CVE-2019-19844 [CRITICAL] CWE-640 CVE-2019-19844: Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably cr
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to
ghsanvdosv
CVE-2025-64459P2CRITICALCVSS 9.1PoC≥ 4.2, < 4.2.26≥ 5.1, < 5.1.14+1 more2025-11-05
CVE-2025-64459 [CRITICAL] CWE-89 CVE-2025-64459: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (s
ghsanvdosv
CVE-2021-35042P2CRITICALCVSS 9.8PoC≥ 3.1, < 3.1.13≥ 3.2, < 3.2.52021-07-02
CVE-2021-35042 [CRITICAL] CWE-89 CVE-2021-35042: Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
ghsanvdosv
CVE-2020-9402P2HIGHCVSS 8.8PoC≥ 1.11, < 1.11.29≥ 2.2, < 2.2.11+1 more2020-03-05
CVE-2020-9402 [HIGH] CWE-89 CVE-2020-9402: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untruste
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
ghsanvdosv
CVE-2020-7471P2CRITICALCVSS 9.8≥ 1.11, < 1.11.28≥ 2.2, < 2.2.10+1 more2020-02-03
CVE-2020-7471 [CRITICAL] CWE-89 CVE-2020-7471: Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untruste
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance,
ghsanvdosv
CVE-2019-14234P2CRITICALCVSS 9.8≥ 1.11, < 1.11.23≥ 2.1, < 2.1.11+1 more2019-08-09
CVE-2019-14234 [CRITICAL] CWE-89 CVE-2019-14234: An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited
ghsanvdosv
CVE-2017-12794P3MEDIUMCVSS 6.1PoCv1.10.0v1.10.1+11 more2017-09-07
CVE-2017-12794 [MEDIUM] CWE-79 CVE-2017-12794: In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page a
ghsanvdosv
CVE-2018-14574P3MEDIUMCVSS 6.1PoC≥ 1.11, < 1.11.15≥ 2.0, < 2.0.82018-08-03
CVE-2018-14574 [MEDIUM] CWE-601 CVE-2018-14574: django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
ghsanvdosv
CVE-2022-28346P2CRITICALCVSS 9.8≥ 2.2, < 2.2.28≥ 3.2, < 3.2.13+1 more2022-04-12
CVE-2022-28346 [CRITICAL] CWE-89 CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QueryS
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
ghsanvdosv
CVE-2025-57833P2HIGHCVSS 8.1≥ 4.2, < 4.2.24≥ 5.1, < 5.1.12+1 more2025-09-03
CVE-2025-57833 [HIGH] CWE-89 CVE-2025-57833: An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. Filter
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
ghsanvdosv
CVE-2023-24580P3HIGHCVSS 7.5≥ 3.2, < 3.2.18≥ 4.0, < 4.0.10+1 more2023-02-15
CVE-2023-24580 [HIGH] CWE-400 CVE-2023-24580: An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
ghsanvdosv
CVE-2022-23833P3HIGHCVSS 7.5≥ 2.2, < 2.2.27≥ 3.2, < 3.2.12+1 more2022-02-03
CVE-2022-23833 [HIGH] CWE-835 CVE-2022-23833: An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 b
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
ghsanvdosv
CVE-2023-23969P3HIGHCVSS 7.5≥ 3.2, < 3.2.17≥ 4.0, < 4.0.9+1 more2023-02-01
CVE-2023-23969 [HIGH] CWE-770 CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Lan
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
ghsanvdosv
CVE-2023-46695P3HIGHCVSS 7.5≥ 3.2, < 3.2.23≥ 4.1, < 4.1.13+1 more2023-11-02
CVE-2023-46695 [HIGH] CWE-770 CVE-2023-46695: An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NF
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
ghsanvdosv
CVE-2016-9013P3CRITICALCVSS 9.8v1.10v1.10.1+28 more2016-12-09
CVE-2016-9013 [CRITICAL] CWE-798 CVE-2016-9013: Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password f
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dict
ghsanvdosv
CVE-2016-6186P3MEDIUMCVSS 6.1PoC≤ 1.8.13v1.9+9 more2016-08-05
CVE-2016-6186 [MEDIUM] CWE-79 CVE-2016-6186: Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
ghsanvdosv
CVE-2023-31047P3CRITICALCVSS 9.8≥ 3.2, < 3.2.19≥ 4.0, < 4.1.9+1 more2023-05-07
CVE-2023-31047 [CRITICAL] CWE-20 CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass valid
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation sug
ghsanvdosv
1 / 8Next →