cbcvebase.

Djangoproject Django vulnerabilities

158 known vulnerabilities affecting djangoproject/django.

Total CVEs
158
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH51MEDIUM87LOW6

Vulnerabilities

Page 4 of 8
CVE-2026-1287P3MEDIUMCVSS 5.4≥ 4.2, < 4.2.28≥ 5.2, < 5.2.11+1 more2026-02-03
CVE-2026-1287 [MEDIUM] CWE-89 CVE-2026-1287: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRela An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`
ghsanvdosv
CVE-2024-53907P3HIGHCVSS 7.5≥ 4.2, < 4.2.17≥ 5.0, < 5.0.10+1 more2024-12-06
CVE-2024-53907 [HIGH] CWE-770 CVE-2024-53907: An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The st An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
ghsanvdosv
CVE-2023-41164P3HIGHCVSS 7.5≥ 3.2, < 3.2.21≥ 4.1, < 4.1.11+1 more2023-11-03
CVE-2023-41164 [HIGH] CWE-1284 CVE-2023-41164: In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_i In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
ghsanvdosv
CVE-2021-3281P3MEDIUMCVSS 5.3≥ 2.2, < 2.2.18≥ 3.0, < 3.0.12+1 more2021-02-02
CVE-2021-3281 [MEDIUM] CWE-22 CVE-2021-3281: In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extra In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
ghsanvdosv
CVE-2015-5143P3HIGHCVSS 7.8v1.4.20v1.5+36 more2015-07-14
CVE-2015-5143 [HIGH] CWE-399 CVE-2015-5143: The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x bef The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
ghsanvdosv
CVE-2024-41990P3HIGHCVSS 7.5≥ 4.2, < 4.2.15≥ 5.0, < 5.0.82024-08-07
CVE-2024-41990 [HIGH] CWE-130 CVE-2024-41990: An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetru An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
ghsanvdosv
CVE-2025-27556P3HIGHCVSS 7.5≥ 5.0, < 5.0.14≥ 5.1, < 5.1.82025-04-02
CVE-2025-27556 [HIGH] CWE-770 CVE-2025-27556: An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode ch
ghsanvdosv
CVE-2014-0472P3MEDIUMCVSS 5.1≤ 1.4.10v1.4+19 more2014-04-23
CVE-2014-0472 [MEDIUM] CWE-94 CVE-2014-0472: The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x bef The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
ghsanvdosv
CVE-2026-35192P3MEDIUMCVSS 6.5≥ 5.2, < 5.2.14≥ 6.0, < 6.0.52026-05-05
CVE-2026-35192 [MEDIUM] CWE-539 CVE-2026-35192: An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on c An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not ev
ghsanvd
CVE-2016-2512P3HIGHCVSS 7.4v1.8.9v1.9+2 more2016-04-08
CVE-2016-2512 [HIGH] CWE-79 CVE-2016-2512: The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote att The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
ghsanvdosv
CVE-2025-32873P4MEDIUMCVSS 5.3≥ 4.2.0, < 4.2.21≥ 5.1, < 5.1.9+3 more2025-05-08
CVE-2025-32873 [MEDIUM] CWE-770 CVE-2025-32873: An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The dja An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on
ghsanvdosv
CVE-2020-13254P3MEDIUMCVSS 5.9≥ 2.2, < 2.2.13≥ 3.0, < 3.0.72020-06-03
CVE-2020-13254 [MEDIUM] CWE-295 CVE-2020-13254: An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
ghsanvdosv
CVE-2025-13473P3MEDIUMCVSS 5.3≥ 4.2, < 4.2.28≥ 5.2, < 5.2.11+1 more2026-02-03
CVE-2025-13473 [MEDIUM] CWE-208 CVE-2025-13473: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.c An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may a
ghsanvdosv
CVE-2024-41989P3HIGHCVSS 7.5≥ 4.2, < 4.2.15≥ 5.0, < 5.0.82024-08-07
CVE-2024-41989 [HIGH] CWE-400 CVE-2024-41989: An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template f An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
ghsanvdosv
CVE-2024-38875P3HIGHCVSS 7.5≥ 4.2, < 4.2.14≥ 5.0, < 5.0.72024-07-10
CVE-2024-38875 [HIGH] CWE-130 CVE-2024-38875: An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc wer An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
ghsanvdosv
CVE-2024-41991P3HIGHCVSS 7.5≥ 4.2, < 4.2.15≥ 5.0, < 5.0.82024-08-07
CVE-2024-41991 [HIGH] CWE-1284 CVE-2024-41991: An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
ghsanvdosv
CVE-2025-26699P3HIGHCVSS 7.5≥ 4.2, < 4.2.20≥ 5.0, < 5.0.13+1 more2025-03-06
CVE-2025-26699 [HIGH] CWE-770 CVE-2025-26699: An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The dj An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
ghsanvdosv
CVE-2011-0698P4HIGHCVSS 7.5v1.1v1.1.0+7 more2011-02-14
CVE-2011-0698 [HIGH] CWE-22 CVE-2011-0698: Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows mig Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
ghsanvdosv
CVE-2019-19118P4MEDIUMCVSS 6.5≥ 2.1, < 2.1.15≥ 2.2, < 2.2.82019-12-02
CVE-2019-19118 [MEDIUM] CWE-276 CVE-2019-19118: Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the vi
ghsanvdosv
CVE-2021-28658P4MEDIUMCVSS 5.3≥ 2.2, < 2.2.20≥ 3.0, < 3.0.14+1 more2021-04-06
CVE-2021-28658 [MEDIUM] CWE-22 CVE-2021-28658: In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed direct In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
ghsanvdosv
Djangoproject Django vulnerabilities | cvebase