cbcvebase.

Djangoproject Django vulnerabilities

158 known vulnerabilities affecting djangoproject/django.

Total CVEs
158
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH51MEDIUM87LOW6

Vulnerabilities

Page 8 of 8
CVE-2012-3443P4MEDIUMCVSS 5.0≤ 1.3v0.95+17 more2012-07-31
CVE-2012-3443 [MEDIUM] CWE-20 CVE-2012-3443: The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 c The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
ghsanvdosv
CVE-2013-4249P4MEDIUMCVSS 4.3v1.5v1.5.1+1 more2013-10-04
CVE-2013-4249 [MEDIUM] CWE-79 CVE-2013-4249: Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets. Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField.
ghsanvdosv
CVE-2014-0481P4MEDIUMCVSS 4.3≤ 1.4.13v1.4+27 more2014-08-26
CVE-2014-0481 [MEDIUM] CWE-399 CVE-2014-0481: The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a mult
ghsanvdosv
CVE-2013-6044P4MEDIUMCVSS 4.3v1.4v1.4.1+6 more2013-10-04
CVE-2013-6044 [MEDIUM] CWE-79 CVE-2013-6044: The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.au
ghsanvdosv
CVE-2010-3082P4MEDIUMCVSS 4.3v1.2.1v1.2.22010-09-14
CVE-2010-3082 [MEDIUM] CWE-79 CVE-2010-3082: Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inj Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
ghsanvdosv
CVE-2011-0697P4MEDIUMCVSS 4.3v1.1v1.1.0+7 more2011-02-14
CVE-2011-0697 [MEDIUM] CWE-79 CVE-2011-0697: Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might a Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
ghsanvdosv
CVE-2016-2513P4LOWCVSS 3.1v1.8.9v1.9+2 more2016-04-08
CVE-2016-2513 [LOW] CWE-200 CVE-2016-2513: The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
ghsanvdosv
CVE-2015-2241P4MEDIUMCVSS 4.3≤ 1.7.5v1.82015-03-12
CVE-2015-2241 [MEDIUM] CWE-79 CVE-2015-2241: Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django befo Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
ghsanvdosv
CVE-2010-4534P4MEDIUMCVSS 4.0≤ 1.1.2v0.91+13 more2011-01-10
CVE-2010-4534 [MEDIUM] CWE-264 CVE-2010-4534: The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstr
ghsanvdosv
CVE-2012-3442P4MEDIUMCVSS 4.3fixed in 1.3.2v1.42012-07-31
CVE-2012-3442 [MEDIUM] CWE-79 CVE-2012-3442: The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes i The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.
ghsanvdosv
CVE-2026-25674P4LOWCVSS 3.7≥ 4.2.0, < 4.2.29≥ 5.2, < 5.2.12+2 more2026-03-03
CVE-2026-25674 [LOW] CWE-362 CVE-2026-25674: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race conditio An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-
ghsanvdosv
CVE-2026-35193P4LOWCVSS 3.1≥ 5.2, < 5.2.15≥ 6.0, < 6.0.62026-06-03
CVE-2026-35193 [LOW] CWE-524 CVE-2026-35193: An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.U An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to th
nvd
CVE-2013-0305P4MEDIUMCVSS 4.0v1.3v1.3.1+6 more2013-05-02
CVE-2013-0305 [MEDIUM] CWE-200 CVE-2013-0305: The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before relea The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
ghsanvdosv
CVE-2008-2302P4MEDIUM≥ 0.91, < 0.91.2≥ 0.95, < 0.95.3+1 more2022-05-01
CVE-2008-2302 [MEDIUM] CWE-79 Django Cross-site scripting (XSS) vulnerability Django Cross-site scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request.
ghsaosv
CVE-2014-0483P4LOWCVSS 3.5v1.5v1.5.1+27 more2014-08-26
CVE-2014-0483 [LOW] CWE-264 CVE-2014-0483: The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x befo The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page
ghsanvdosv
CVE-2026-7666P4LOWCVSS 3.1≥ 5.2, < 5.2.15≥ 6.0, < 6.0.62026-06-03
CVE-2026-7666 [LOW] CWE-319 CVE-2026-7666: An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsu
nvd
CVE-2026-4292P4LOWCVSS 2.7≥ 4.2, < 4.2.30≥ 5.2, < 5.2.13+1 more2026-04-07
CVE-2026-4292 [LOW] CWE-862 CVE-2026-4292: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changel An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank
ghsanvdosv
CVE-2007-5712P4HIGH≥ 0.96.0, < 0.96.1≥ 0.95, < 0.95.2+1 more2022-05-01
CVE-2007-5712 [HIGH] CWE-400 Django vulnerable to Denial of Service via i18n middleware component Django vulnerable to Denial of Service via i18n middleware component The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.
ghsaosv
Djangoproject Django vulnerabilities | cvebase