Djangoproject Django vulnerabilities
158 known vulnerabilities affecting djangoproject/django.
Total CVEs
158
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH51MEDIUM87LOW6
Vulnerabilities
Page 3 of 8
CVE-2019-6975P3HIGHCVSS 7.5≥ 1.11.0, < 1.11.19≥ 2.0.0, < 2.0.11+1 more2019-02-11
CVE-2019-6975 [HIGH] CWE-770 CVE-2019-6975: Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
ghsanvdosv
CVE-2025-14550P3HIGHCVSS 7.5≥ 4.2, < 4.2.28≥ 5.2, < 5.2.11+1 more2026-02-03
CVE-2025-14550 [HIGH] CWE-407 CVE-2025-14550: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest`
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like t
ghsanvdosv
CVE-2025-59682P3MEDIUMCVSS 6.5≥ 4.2.0, < 4.2.25≥ 5.1, < 5.1.13+2 more2025-10-01
CVE-2025-59682 [MEDIUM] CWE-23 CVE-2025-59682: An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The dj
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
ghsanvdosv
CVE-2019-14232P3HIGHCVSS 7.5≥ 1.11, < 1.11.23≥ 2.1, < 2.1.11+1 more2019-08-02
CVE-2019-14232 [HIGH] CWE-400 CVE-2019-14232: An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() meth
ghsanvdosv
CVE-2020-24584P3HIGHCVSS 7.5≥ 2.2, < 2.2.16≥ 3.0, < 3.0.10+1 more2020-09-01
CVE-2020-24584 [HIGH] CWE-276 CVE-2020-24584: An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when P
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
ghsanvdosv
CVE-2024-56374P3HIGHCVSS 7.5≥ 4.2, < 4.2.18≥ 5.0, < 5.0.11+1 more2025-01-14
CVE-2024-56374 [HIGH] CWE-770 CVE-2024-56374: An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack o
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.fo
ghsanvdosv
CVE-2026-1285P3HIGHCVSS 7.5≥ 4.2, < 4.2.28≥ 5.2, < 5.2.11+1 more2026-02-03
CVE-2026-1285 [HIGH] CWE-407 CVE-2026-1285: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number
ghsanvdosv
CVE-2021-45116P3HIGHCVSS 7.5≥ 2.2, < 2.2.26≥ 3.2, < 3.2.11+1 more2022-01-05
CVE-2021-45116 [HIGH] CWE-20 CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
ghsanvdosv
CVE-2026-25673P3HIGHCVSS 7.5≥ 4.2.0, < 4.2.29≥ 5.2, < 5.2.12+2 more2026-03-03
CVE-2026-25673 [HIGH] CWE-400 CVE-2026-25673: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these
ghsanvdosv
CVE-2022-36359P3HIGHCVSS 8.8≥ 3.2, < 3.2.15≥ 4.0, < 4.0.72022-08-03
CVE-2022-36359 [HIGH] CWE-494 CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
ghsanvdosv
CVE-2019-14233P3HIGHCVSS 7.5≥ 1.11, < 1.11.23≥ 2.1, < 2.1.11+1 more2019-08-02
CVE-2019-14233 [HIGH] CWE-400 CVE-2019-14233: An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
ghsanvdosv
CVE-2021-45115P3HIGHCVSS 7.5≥ 2.2, < 2.2.26≥ 3.2, < 3.2.11+1 more2022-01-05
CVE-2021-45115 [HIGH] CVE-2021-45115: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAt
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for
ghsanvdosv
CVE-2026-33033P3MEDIUMCVSS 6.5≥ 4.2, < 4.2.30≥ 5.2, < 5.2.13+1 more2026-04-07
CVE-2026-33033 [MEDIUM] CWE-407 CVE-2026-33033: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartPar
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and ma
ghsanvdosv
CVE-2019-14235P3HIGHCVSS 7.5≥ 1.11, < 1.11.23≥ 2.1, < 2.1.11+1 more2019-08-02
CVE-2019-14235 [HIGH] CWE-674 CVE-2019-14235: An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
ghsanvdosv
CVE-2022-41323P3HIGHCVSS 7.5≥ 3.2, < 3.2.16≥ 4.0, < 4.0.8+1 more2022-10-16
CVE-2022-41323 [HIGH] CWE-1333 CVE-2022-41323: In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were sub
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
ghsanvdosv
CVE-2023-36053P3HIGHCVSS 7.5≥ 3.2, < 3.2.20≥ 4.0, < 4.1.10+1 more2023-07-03
CVE-2023-36053 [HIGH] CWE-1333 CVE-2023-36053: In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
ghsanvdosv
CVE-2023-43665P3HIGHCVSS 7.5≥ 3.2, < 3.2.22≥ 4.1, < 4.1.12+1 more2023-11-03
CVE-2023-43665 [HIGH] CVE-2023-43665: In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncato
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html a
ghsanvdosv
CVE-2012-4520P3MEDIUMCVSS 6.4v1.3v1.3.1+4 more2012-11-18
CVE-2012-4520 [MEDIUM] CWE-20 CVE-2012-4520: The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 al
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
ghsanvdosv
CVE-2024-24680P3HIGHCVSS 7.5≥ 3.2, < 3.2.24≥ 4.2, < 4.2.10+1 more2024-02-06
CVE-2024-24680 [HIGH] CVE-2024-24680: An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2.
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
ghsanvdosv
CVE-2026-1312P3MEDIUMCVSS 5.4≥ 4.2, < 4.2.28≥ 5.2, < 5.2.11+1 more2026-02-03
CVE-2026-1312 [MEDIUM] CWE-89 CVE-2026-1312: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.or
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3
ghsanvdosv