Djangoproject Django vulnerabilities
158 known vulnerabilities affecting djangoproject/django.
Total CVEs
158
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH51MEDIUM87LOW6
Vulnerabilities
Page 6 of 8
CVE-2016-2048P4MEDIUMCVSS 5.5v1.9v1.9.12016-02-08
CVE-2016-2048 [MEDIUM] CWE-284 CVE-2016-2048: Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
ghsanvdosv
CVE-2018-16984P4MEDIUMCVSS 4.9≥ 2.1, < 2.1.22018-10-02
CVE-2018-16984 [MEDIUM] CWE-522 CVE-2018-16984: An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the passwor
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash t
ghsanvdosv
CVE-2025-48432P4MEDIUMCVSS 5.3≥ 4.2, < 4.2.23≥ 5.1, < 5.1.11+1 more2025-06-05
CVE-2025-48432 [MEDIUM] CWE-117 CVE-2025-48432: An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Intern
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
ghsanvdosv
CVE-2022-22818P4MEDIUMCVSS 6.1≥ 2.2, < 2.2.27≥ 3.2, < 3.2.12+1 more2022-02-03
CVE-2022-22818 [MEDIUM] CWE-79 CVE-2022-22818: The template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 do
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
ghsanvdosv
CVE-2011-4140P4MEDIUMCVSS 6.8≤ 1.2.6v0.91+17 more2011-10-19
CVE-2011-4140 [MEDIUM] CWE-352 CVE-2011-4140: The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly hand
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
ghsanvdosv
CVE-2011-4136P4MEDIUMCVSS 5.8≤ 1.2.6v0.91+17 more2011-10-19
CVE-2011-4136 [MEDIUM] CWE-20 CVE-2011-4136: django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored i
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
ghsanvdosv
CVE-2014-0473P4MEDIUMCVSS 5.0v1.5v1.5.1+19 more2014-04-23
CVE-2014-0473 [MEDIUM] CWE-264 CVE-2014-0473: The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x bef
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.
ghsanvdosv
CVE-2015-3982P4MEDIUMCVSS 5.0v1.8.0v1.8.12015-06-02
CVE-2015-3982 [MEDIUM] CVE-2015-3982: The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly f
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
ghsanvdosv
CVE-2024-39329P4MEDIUMCVSS 5.3≥ 4.2, < 4.2.14≥ 5.0, < 5.0.72024-07-10
CVE-2024-39329 [MEDIUM] CWE-208 CVE-2024-39329: An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.ba
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
ghsanvdosv
CVE-2015-5963P4MEDIUMCVSS 5.0v1.4v1.4.1+31 more2015-08-24
CVE-2015-5963 [MEDIUM] CWE-399 CVE-2015-5963: contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty
ghsanvdosv
CVE-2025-13372P4MEDIUMCVSS 4.3≥ 4.2, < 4.2.27≥ 5.1, < 5.1.15+1 more2025-12-02
CVE-2025-13372 [MEDIUM] CWE-89 CVE-2025-13372: An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRela
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.
ghsanvdosv
CVE-2015-2316P4MEDIUMCVSS 5.0v1.6v1.6.1+17 more2015-03-25
CVE-2015-2316 [MEDIUM] CWE-399 CVE-2015-2316: The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x befo
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
ghsanvdosv
CVE-2014-0482P4MEDIUMCVSS 6.0v1.6v1.6.1+27 more2014-08-26
CVE-2014-0482 [MEDIUM] CWE-287 CVE-2014-0482: The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
ghsanvdosv
CVE-2014-0480P4MEDIUMCVSS 5.8v1.7v1.6+27 more2014-08-26
CVE-2014-0480 [MEDIUM] CWE-20 CVE-2014-0480: The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.
ghsanvdosv
CVE-2009-2659P4HIGH≥ 0.96.0, < 0.96.4≥ 1.0, < 1.0.32022-05-02
CVE-2009-2659 [HIGH] CWE-22 Django Admin Media Handler Vulnerable to Directory Traversal
Django Admin Media Handler Vulnerable to Directory Traversal
The Admin media handler in `core/servers/basehttp.py` in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
ghsaosv
CVE-2011-0696P4MEDIUMCVSS 6.8v1.1v1.1.0+7 more2011-02-14
CVE-2011-0696 [MEDIUM] CVE-2011-0696: Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that conta
Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
ghsanvdosv
CVE-2015-5964P4MEDIUMCVSS 5.0v1.4v1.4.1+31 more2015-08-24
CVE-2015-5964 [MEDIUM] CWE-399 CVE-2015-5964: The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functio
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.
ghsanvdosv
CVE-2015-8213P4MEDIUMCVSS 5.0≤ 1.7.10v1.8.0+7 more2015-12-07
CVE-2015-8213 [MEDIUM] CWE-200 CVE-2015-8213: The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
ghsanvdosv
CVE-2024-27351P4MEDIUMCVSS 5.3≥ 3.2, < 3.2.25≥ 4.2, < 4.2.11+1 more2024-03-15
CVE-2024-27351 [MEDIUM] CVE-2024-27351: In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncato
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-4366
ghsanvdosv
CVE-2017-7234P4MEDIUMCVSS 6.1v1.8.0v1.8.1+36 more2017-04-04
CVE-2017-7234 [MEDIUM] CWE-601 CVE-2017-7234: A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18)
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.
ghsanvdosv