cbcvebase.

Djangoproject Django vulnerabilities

158 known vulnerabilities affecting djangoproject/django.

Total CVEs
158
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH51MEDIUM87LOW6

Vulnerabilities

Page 5 of 8
CVE-2015-5145P4HIGHCVSS 7.8v1.8.0v1.8.1+1 more2015-07-14
CVE-2015-5145 [HIGH] CWE-399 CVE-2015-5145: validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of se validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
ghsanvdosv
CVE-2007-0404P3HIGH≥ 0.95, < 1.02022-05-01
CVE-2007-0404 [HIGH] Django Arbitrary Code Execution Django Arbitrary Code Execution `bin/compile-messages.py` in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.
ghsaosv
CVE-2019-3498P4MEDIUMCVSS 6.5≥ 1.11, < 1.11.18≥ 2.0, < 2.0.10+1 more2019-01-09
CVE-2019-3498 [MEDIUM] CWE-74 CVE-2019-3498: In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutraliza In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
ghsanvdosv
CVE-2026-8404P4MEDIUMCVSS 5.3≥ 5.2, < 5.2.15≥ 6.0, < 6.0.62026-06-03
CVE-2026-8404 [MEDIUM] CWE-178 CVE-2026-8404: An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.U An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case val
nvd
CVE-2019-12308P4MEDIUMCVSS 6.1≥ 1.11, < 1.11.21≥ 2.1, < 2.1.9+1 more2019-06-03
CVE-2019-12308 [MEDIUM] CWE-79 CVE-2019-12308: An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The c An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an
ghsanvdosv
CVE-2021-33203P4MEDIUMCVSS 4.9fixed in 2.2.24≥ 3.0.0, < 3.1.12+1 more2021-06-08
CVE-2021-33203 [MEDIUM] CWE-22 CVE-2021-33203: Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file
ghsanvdosv
CVE-2015-0219P4MEDIUMCVSS 5.0≤ 1.4.17v1.6+12 more2015-01-16
CVE-2015-0219 [MEDIUM] CWE-17 CVE-2015-0219: Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof W Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
ghsanvdosv
CVE-2018-7536P4MEDIUMCVSS 5.3≥ 1.8, < 1.8.19≥ 1.11, < 1.11.11+1 more2018-03-09
CVE-2018-7536 [MEDIUM] CWE-185 CVE-2018-7536: An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the u
ghsanvdosv
CVE-2018-7537P4MEDIUMCVSS 5.3≥ 1.8, < 1.8.19≥ 1.11, < 1.11.11+1 more2018-03-09
CVE-2018-7537 [MEDIUM] CWE-185 CVE-2018-7537: An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If d An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods ar
ghsanvdosv
CVE-2013-1665P4MEDIUM≥ 1.3.0, < 1.3.6≥ 1.4.0, < 1.4.42022-05-17
CVE-2013-1665 [MEDIUM] CWE-200 XML External Entity (XXE) in Django XML External Entity (XXE) in Django The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
ghsaosv
CVE-2026-48587P4MEDIUMCVSS 5.3≥ 5.2, < 5.2.15≥ 6.0, < 6.0.62026-06-03
CVE-2026-48587 [MEDIUM] CWE-1023 CVE-2026-48587: An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_va An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary head
nvd
CVE-2014-1418P4MEDIUMCVSS 6.4v1.7v1.4+24 more2014-05-16
CVE-2014-1418 [MEDIUM] CVE-2014-1418: Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.
ghsanvdosv
CVE-2013-4315P4MEDIUMCVSS 5.0v1.4v1.4.1+7 more2013-09-16
CVE-2013-4315 [MEDIUM] CWE-22 CVE-2013-4315: Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag.
ghsanvdosv
CVE-2021-45452P4MEDIUMCVSS 5.3≥ 2.2, < 2.2.26≥ 3.2, < 3.2.11+1 more2022-01-05
CVE-2021-45452 [MEDIUM] CWE-22 CVE-2021-45452: Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory t Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
ghsanvdosv
CVE-2019-12781P4MEDIUMCVSS 5.3≥ 1.11, < 1.11.22≥ 2.1, < 2.1.10+1 more2019-07-01
CVE-2019-12781 [MEDIUM] CWE-319 CVE-2019-12781: An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An H An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTT
ghsanvdosv
CVE-2024-45231P4MEDIUMCVSS 5.3≥ 4.2.0, < 4.2.16≥ 5.0, < 5.0.9+1 more2024-10-08
CVE-2024-45231 [MEDIUM] CWE-203 CVE-2024-45231: An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.Passwor An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
ghsanvdosv
CVE-2026-5766P4MEDIUMCVSS 5.3≥ 5.2, < 5.2.14≥ 6.0, < 6.0.52026-05-05
CVE-2026-5766 [MEDIUM] CWE-130 CVE-2026-5766: An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or u An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather th
ghsanvd
CVE-2026-6907P4MEDIUMCVSS 5.3≥ 5.2, < 5.2.14≥ 6.0, < 6.0.52026-05-05
CVE-2026-6907 [MEDIUM] CWE-524 CVE-2026-6907: An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCa An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also
ghsanvd
CVE-2021-32052P4MEDIUMCVSS 6.1≥ 2.2, < 2.2.22≥ 3.1, < 3.1.10+1 more2021-05-06
CVE-2021-32052 [MEDIUM] CWE-79 CVE-2021-32052: In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValida In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP h
ghsanvdosv
CVE-2020-13596P4MEDIUMCVSS 6.1≥ 2.2, < 2.2.13≥ 3.0, < 3.0.72020-06-03
CVE-2020-13596 [MEDIUM] CWE-79 CVE-2020-13596: An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
ghsanvdosv
Djangoproject Django vulnerabilities | cvebase