cbcvebase.

Djangoproject Django vulnerabilities

158 known vulnerabilities affecting djangoproject/django.

Total CVEs
158
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH51MEDIUM87LOW6

Vulnerabilities

Page 2 of 8
CVE-2025-59681P3CRITICALCVSS 9.8≥ 4.2, < 4.2.25≥ 5.1, < 5.1.13+1 more2025-10-01
CVE-2025-59681 [CRITICAL] CWE-89 CVE-2025-59681: An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QueryS An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and Mar
ghsanvdosv
CVE-2024-53908P3CRITICALCVSS 9.8≥ 4.2, < 4.2.17≥ 5.0, < 5.0.10+1 more2024-12-06
CVE-2024-53908 [CRITICAL] CWE-89 CVE-2024-53908: An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
ghsanvdosv
CVE-2022-28347P3CRITICALCVSS 9.8≥ 2.2, < 2.2.28≥ 3.2, < 3.2.13+1 more2022-04-12
CVE-2022-28347 [CRITICAL] CWE-89 CVE-2022-28347: A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3 A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
ghsanvdosv
CVE-2024-39614P3HIGHCVSS 7.5≥ 4.2, < 4.2.14≥ 5.0, < 5.0.72024-07-10
CVE-2024-39614 [HIGH] CWE-130 CVE-2024-39614: An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_var An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
ghsanvdosv
CVE-2021-23336P3MEDIUMCVSS 5.9≥ 2.2, < 2.2.19≥ 3.0, < 3.0.13+1 more2021-02-15
CVE-2021-23336 [MEDIUM] CWE-444 CVE-2021-23336: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and be The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they
nvd
CVE-2026-4277P3CRITICALCVSS 9.8≥ 4.2, < 4.2.30≥ 5.2, < 5.2.13+1 more2026-04-07
CVE-2026-4277 [CRITICAL] CWE-862 CVE-2026-4277: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissio An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to th
ghsanvdosv
CVE-2024-45230P3HIGHCVSS 7.5≥ 4.2.0, < 4.2.16≥ 5.0, < 5.0.9+1 more2024-10-08
CVE-2024-45230 [HIGH] CWE-120 CVE-2024-45230: An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The url An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
ghsanvdosv
CVE-2016-7401P3HIGHCVSS 7.5≤ 1.8.14v1.9.0+9 more2016-10-03
CVE-2016-7401 [HIGH] CWE-254 CVE-2016-7401: The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Go The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
ghsanvdosv
CVE-2021-31542P3HIGHCVSS 7.5≥ 2.2, < 2.2.21≥ 3.1, < 3.1.9+1 more2021-05-05
CVE-2021-31542 [HIGH] CWE-22 CVE-2021-31542: In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
ghsanvdosv
CVE-2016-9014P3HIGHCVSS 8.1v1.8v1.8.1+28 more2016-12-09
CVE-2016-9014 [HIGH] CWE-264 CVE-2016-9014: Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBU Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
ghsanvdosv
CVE-2020-24583P3HIGHCVSS 7.5≥ 2.2, < 2.2.16≥ 3.0, < 3.0.10+1 more2020-09-01
CVE-2020-24583 [HIGH] CWE-276 CVE-2020-24583: An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when P An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectsta
ghsanvdosv
CVE-2021-33571P3HIGHCVSS 7.5≥ 2.2, < 2.2.24≥ 3.0, < 3.1.12+1 more2021-06-08
CVE-2021-33571 [HIGH] CWE-918 CVE-2021-33571: In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_ad In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..)
ghsanvdosv
CVE-2025-64460P3HIGHCVSS 7.5≥ 4.2, < 4.2.27≥ 5.1, < 5.1.15+1 more2025-12-02
CVE-2025-64460 [HIGH] CWE-407 CVE-2025-64460: An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic c An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier
ghsanvdosv
CVE-2014-0474P3CRITICALCVSS 10.0v1.6v1.6.1+19 more2014-04-23
CVE-2014-0474 [CRITICAL] CWE-399 CVE-2014-0474: The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Djan The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
ghsanvdosv
CVE-2018-6188P3HIGHCVSS 7.5v1.11.8v1.11.9+2 more2018-02-05
CVE-2018-6188 [HIGH] CWE-200 CVE-2018-6188: django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allo django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
ghsanvdosv
CVE-2021-44420P3HIGHCVSS 7.3≥ 2.2, < 2.2.25≥ 3.1, < 3.1.14+1 more2021-12-08
CVE-2021-44420 [HIGH] CVE-2021-44420: In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with t In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
ghsanvdosv
CVE-2026-33034P3HIGHCVSS 7.5≥ 4.2, < 4.2.30≥ 5.2, < 5.2.13+1 more2026-04-07
CVE-2026-33034 [HIGH] CWE-770 CVE-2026-33034: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (suc
ghsanvdosv
CVE-2024-42005P3HIGHCVSS 7.3≥ 4.2, < 4.2.15≥ 5.0, < 5.0.82024-08-07
CVE-2024-42005 [HIGH] CWE-89 CVE-2024-42005: An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and valu An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
ghsanvdosv
CVE-2026-3902P3HIGHCVSS 7.5≥ 4.2, < 4.2.30≥ 5.2, < 5.2.13+1 more2026-04-07
CVE-2026-3902 [HIGH] CWE-290 CVE-2026-3902: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not eva
ghsanvdosv
CVE-2025-64458P3HIGHCVSS 7.5≥ 4.2, < 4.2.26≥ 5.1, < 5.1.14+1 more2025-11-05
CVE-2025-64458 [HIGH] CWE-407 CVE-2025-64458: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normaliz An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs w
ghsanvdosv
Djangoproject Django vulnerabilities | cvebase