Djangoproject Django vulnerabilities
158 known vulnerabilities affecting djangoproject/django.
Total CVEs
158
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH51MEDIUM87LOW6
Vulnerabilities
Page 7 of 8
CVE-2011-4137P4MEDIUMCVSS 5.0≤ 1.2.6v0.91+17 more2011-10-19
CVE-2011-4137 [MEDIUM] CVE-2011-4137: The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x befo
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no
ghsanvdosv
CVE-2011-4138P4MEDIUMCVSS 5.0≤ 1.2.6v0.91+17 more2011-10-19
CVE-2011-4138 [MEDIUM] CWE-20 CVE-2011-4138: The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x befo
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via
ghsanvdosv
CVE-2015-5144P4MEDIUMCVSS 4.3≤ 1.4.20v1.5+37 more2015-07-14
CVE-2015-5144 [MEDIUM] CWE-20 CVE-2015-5144: Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorr
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to
ghsanvdosv
CVE-2017-7233P4MEDIUMCVSS 6.1v1.8.0v1.8.1+36 more2017-04-04
CVE-2017-7233 [MEDIUM] CWE-601 CVE-2017-7233: Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cas
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer reli
ghsanvdosv
CVE-2010-4535P4MEDIUMCVSS 5.0≤ 1.1.2v0.91+13 more2011-01-10
CVE-2010-4535 [MEDIUM] CWE-20 CVE-2010-4535: The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4,
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
ghsanvdosv
CVE-2008-3909P4MEDIUMCVSS 5.8≥ 0.91, < 0.91.3≥ 0.95, < 0.95.4+1 more2008-09-04
CVE-2008-3909 [MEDIUM] CWE-352 CVE-2008-3909: The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST reque
The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.
ghsanvdosv
CVE-2015-0222P4MEDIUMCVSS 5.0≤ 1.4.17v1.6+12 more2015-01-16
CVE-2015-0222 [MEDIUM] CWE-17 CVE-2015-0222: ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_init
ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.
ghsanvdosv
CVE-2013-1443P4MEDIUMCVSS 5.0v1.4v1.4.1+10 more2013-09-23
CVE-2013-1443 [MEDIUM] CWE-287 CVE-2013-1443: The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4,
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.
ghsanvdosv
CVE-2011-4139P4MEDIUMCVSS 5.0≤ 1.2.6v0.91+17 more2011-10-19
CVE-2011-4139 [MEDIUM] CWE-20 CVE-2011-4139: Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
ghsanvdosv
CVE-2007-0405P4MEDIUM≥ 0.95, < 1.02022-05-01
CVE-2007-0405 [MEDIUM] Django Improper Access Control
Django Improper Access Control
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
ghsaosv
CVE-2013-1664P4MEDIUM≥ 1.3.0, < 1.3.6≥ 1.4.0, < 1.4.42022-05-17
CVE-2013-1664 [MEDIUM] CWE-611 XML Entity Expansion (XEE) in Django
XML Entity Expansion (XEE) in Django
The XML libraries for Python, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.
ghsaosv
CVE-2015-0221P4MEDIUMCVSS 5.0≤ 1.4.17v1.6+12 more2015-01-16
CVE-2015-0221 [MEDIUM] CWE-399 CVE-2015-0221: The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
ghsanvdosv
CVE-2024-39330P4MEDIUMCVSS 4.3≥ 4.2, < 4.2.14≥ 5.0, < 5.0.72024-07-10
CVE-2024-39330 [MEDIUM] CWE-22 CVE-2024-39330: An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the dja
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-
ghsanvdosv
CVE-2026-6873P4MEDIUMCVSS 4.3≥ 5.2, < 5.2.15≥ 6.0, < 6.0.62026-06-03
CVE-2026-6873 [MEDIUM] CWE-347 CVE-2026-6873: An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.g
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
`django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs
nvd
CVE-2015-2317P4MEDIUMCVSS 4.3≤ 1.4.19v1.5+31 more2015-03-25
CVE-2015-2317 [MEDIUM] CWE-79 CVE-2015-2317: The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x befor
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
ghsanvdosv
CVE-2013-0306P4MEDIUMCVSS 5.0v1.3v1.3.1+6 more2013-05-02
CVE-2013-0306 [MEDIUM] CWE-189 CVE-2013-0306: The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate
The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.
ghsanvdosv
CVE-2009-3695P4MEDIUMCVSS 5.0v1.0v1.12009-10-13
CVE-2009-3695 [MEDIUM] CVE-2009-3695: Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.
ghsanvdosv
CVE-2012-3444P4MEDIUMCVSS 5.0≤ 1.3v0.95+17 more2012-07-31
CVE-2012-3444 [MEDIUM] CWE-119 CVE-2012-3444: The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.
ghsanvdosv
CVE-2014-3730P4MEDIUMCVSS 4.3v1.4v1.4.1+24 more2014-05-16
CVE-2014-3730 [MEDIUM] CWE-20 CVE-2014-3730: The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."
ghsanvdosv
CVE-2015-0220P4MEDIUMCVSS 4.3≤ 1.4.17v1.6+12 more2015-01-16
CVE-2015-0220 [MEDIUM] CWE-79 CVE-2015-0220: The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x be
The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
ghsanvdosv