Total
116 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-53907 | 1 Djangoproject | 1 Django | 2025-06-24 | N/A | 7.5 HIGH |
| An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. | |||||
| CVE-2025-32873 | 1 Djangoproject | 1 Django | 2025-06-17 | N/A | 5.3 MEDIUM |
| An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags(). | |||||
| CVE-2024-38875 | 1 Djangoproject | 1 Django | 2025-06-16 | N/A | 7.5 HIGH |
| An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. | |||||
| CVE-2024-39329 | 1 Djangoproject | 1 Django | 2025-06-16 | N/A | 5.3 MEDIUM |
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. | |||||
| CVE-2024-39330 | 1 Djangoproject | 1 Django | 2025-06-16 | N/A | 4.3 MEDIUM |
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) | |||||
| CVE-2024-39614 | 1 Djangoproject | 1 Django | 2025-06-16 | N/A | 7.5 HIGH |
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. | |||||
| CVE-2024-53908 | 1 Djangoproject | 1 Django | 2025-06-09 | N/A | 9.8 CRITICAL |
| An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.) | |||||
| CVE-2021-45116 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2025-05-22 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. | |||||
| CVE-2024-24680 | 1 Djangoproject | 1 Django | 2025-05-15 | N/A | 7.5 HIGH |
| An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. | |||||
| CVE-2022-41323 | 1 Djangoproject | 1 Django | 2025-05-14 | N/A | 7.5 HIGH |
| In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. | |||||
| CVE-2017-12794 | 1 Djangoproject | 1 Django | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings. | |||||
| CVE-2017-7233 | 1 Djangoproject | 1 Django | 2025-04-20 | 5.8 MEDIUM | 6.1 MEDIUM |
| Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. | |||||
| CVE-2017-7234 | 1 Djangoproject | 1 Django | 2025-04-20 | 5.8 MEDIUM | 6.1 MEDIUM |
| A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability. | |||||
| CVE-2015-5964 | 3 Canonical, Djangoproject, Oracle | 3 Ubuntu Linux, Django, Solaris | 2025-04-12 | 5.0 MEDIUM | N/A |
| The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors. | |||||
| CVE-2015-0221 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2025-04-12 | 5.0 MEDIUM | N/A |
| The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. | |||||
| CVE-2014-0482 | 2 Djangoproject, Opensuse | 2 Django, Opensuse | 2025-04-12 | 6.0 MEDIUM | N/A |
| The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. | |||||
| CVE-2014-1418 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2025-04-12 | 6.4 MEDIUM | N/A |
| Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers. | |||||
| CVE-2015-8213 | 1 Djangoproject | 1 Django | 2025-04-12 | 5.0 MEDIUM | N/A |
| The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. | |||||
| CVE-2015-0219 | 1 Djangoproject | 1 Django | 2025-04-12 | 5.0 MEDIUM | N/A |
| Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. | |||||
| CVE-2014-0474 | 2 Canonical, Djangoproject | 2 Ubuntu Linux, Django | 2025-04-12 | 10.0 HIGH | N/A |
| The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting." | |||||