django · threatengine.sh

CVE-2026-6907

>= 5.2 and < 5.2.14

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously cac

4.3MEDIUM

CVE-2026-5766

>= 5.2 and < 5.2.14

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length he

5.3MEDIUM

CVE-2026-35192

>= 5.2 and < 5.2.14

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not mod

6.5MEDIUM

CVE-2026-4292

>= 4.2 and < 4.2.30

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.li

2.7LOW

CVE-2026-4277

>= 4.2 and < 4.2.30

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances w

9.8CRITICAL

CVE-2026-3902

>= 4.2 and < 4.2.30

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGIRequest allows a remote attacker to s

7.5HIGH

CVE-2026-33034

>= 4.2 and < 4.2.30

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated

7.5HIGH

CVE-2026-33033

>= 4.2 and < 4.2.30

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. MultiPartParser allows remote attackers t

6.5MEDIUM

CVE-2026-34231

<= 0.6.2

Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the

6.1MEDIUM

CVE-2026-25674

>= 4.2.0 and < 4.2.29

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and f

3.7LOW

CVE-2026-25673

>= 4.2.0 and < 4.2.29

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. URLField.to_python() in Django calls `url

7.5HIGH

CVE-2026-1312

>= 4.2 and < 4.2.28

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. .QuerySet.order_by() is subject to SQL in

5.4MEDIUM

CVE-2026-1287

>= 4.2 and < 4.2.28

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. FilteredRelation is subject to SQL inject

5.4MEDIUM

CVE-2026-1285

>= 4.2 and < 4.2.28

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. django.utils.text.Truncator.chars() and `

7.5HIGH

CVE-2026-1207

>= 4.2 and < 4.2.28

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on `RasterField` (only imp

5.4MEDIUM

CVE-2025-14550

>= 4.2 and < 4.2.28

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. ASGIRequest allows a remote attacker to c

7.5HIGH

CVE-2025-13473

>= 4.2 and < 4.2.28

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.c

5.3MEDIUM

CVE-2025-64460

>= 4.2 and < 4.2.27

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.seri

7.5HIGH

CVE-2025-13372

>= 4.2 and < 4.2.27

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. FilteredRelation is subject to SQL inject

4.3MEDIUM

CVE-2025-64459

>= 4.2 and < 4.2.26

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods QuerySet.filter(), `QuerySet.

9.1CRITICAL

CVE-2025-64458

>= 4.2 and < 4.2.26

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Win

7.5HIGH

CVE-2025-59682

>= 4.2.0 and < 4.2.25

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() f

3.1LOW

CVE-2025-59681

>= 4.2 and < 4.2.25

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(

7.1HIGH

CVE-2025-57833

>= 4.2 and < 4.2.24

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL i

7.1HIGH

CVE-2025-48432

>= 4.2 and < 4.2.23

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does

4.0MEDIUM

CVE-2025-32873

>= 4.2.0 and < 4.2.21

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() fu

5.3MEDIUM

CVE-2025-27556

>= 5.0 and < 5.0.14

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a conseque

5.8MEDIUM

CVE-2025-26699

>= 4.2 and < 4.2.20

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method

5.0MEDIUM

CVE-2024-56374

>= 4.2 and < 4.2.18

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcemen

5.8MEDIUM

CVE-2024-53908

>= 4.2 and < 4.2.17

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models

9.8CRITICAL

CVE-2024-53907

>= 4.2 and < 4.2.17

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptag

7.5HIGH

CVE-2024-45231

>= 4.2.0 and < 4.2.16

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in

5.3MEDIUM

CVE-2024-45230

>= 4.2.0 and < 4.2.16

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() templa

7.5HIGH

CVE-2024-42005

>= 4.2 and < 4.2.15

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models wi

7.3HIGH

CVE-2024-41991

>= 4.2 and < 4.2.15

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the Adm

7.5HIGH

CVE-2024-41990

>= 4.2 and < 4.2.15

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subj

7.5HIGH

CVE-2024-41989

>= 4.2 and < 4.2.15

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significan

7.5HIGH

CVE-2024-39614

>= 4.2 and < 4.2.14

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potent

7.5HIGH

CVE-2024-39330

>= 4.2 and < 4.2.14

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage

4.3MEDIUM

CVE-2024-39329

>= 4.2 and < 4.2.14

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authentica

5.3MEDIUM

CVE-2024-38875

>= 4.2 and < 4.2.14

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denia

7.5HIGH

CVE-2024-27351

>= 3.2 and < 3.2.25

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=Tr

5.3MEDIUM

CVE-2024-24680

>= 3.2 and < 3.2.24

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter

7.5HIGH

CVE-2024-22199

< 3.1.9

This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. T

9.3CRITICAL

CVE-2023-43665

>= 3.2 and < 3.2.22

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods

7.5HIGH

CVE-2023-41164

>= 3.2 and < 3.2.21

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential

7.5HIGH

CVE-2023-46695

>= 3.2 and < 3.2.23

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Wi

7.5HIGH

CVE-2023-36053

>= 3.2 and < 3.2.20

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReD

7.5HIGH

CVE-2023-31047

>= 3.2 and < 3.2.19

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form fiel

9.8CRITICAL

CVE-2023-24580

>= 3.2 and < 3.2.18

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Pass

7.5HIGH

CVE-2023-23969

>= 3.2 and < 3.2.17

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in or

7.5HIGH

CVE-2022-41323

>= 3.2 and < 3.2.16

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of

7.5HIGH

CVE-2022-36359

>= 3.2 and < 3.2.15

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnera

8.8HIGH

CVE-2022-34265

>= 3.2 and < 3.2.14

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject

9.8CRITICAL

CVE-2022-28347

>= 2.2 and < 2.2.28

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. T

9.8CRITICAL

CVE-2022-28346

>= 2.2 and < 2.2.28

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), an

9.8CRITICAL

CVE-2022-23833

>= 2.2 and < 2.2.27

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain i

7.5HIGH

CVE-2022-22818

>= 2.2 and < 2.2.27

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the cur

6.1MEDIUM

CVE-2021-45452

>= 2.2 and < 2.2.26

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames

5.3MEDIUM

CVE-2021-45116

>= 2.2 and < 2.2.26

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Templat

7.5HIGH

CVE-2021-45115

>= 2.2 and < 2.2.26

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator inc

7.5HIGH

CVE-2021-44420

>= 2.2 and < 2.2.25

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass

7.3HIGH

CVE-2021-35042

>= 3.1 and < 3.1.13

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a cli

9.8CRITICAL

CVE-2021-33571

>= 2.2 and < 2.2.24

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_addr

7.5HIGH

CVE-2021-33203

< 2.2.24

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs.

4.9MEDIUM

CVE-2021-32052

>= 2.2 and < 2.2.22

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines

6.1MEDIUM

CVE-2021-31542

>= 2.2 and < 2.2.21

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed director

7.5HIGH

CVE-2021-28658

>= 2.2 and < 2.2.20

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded fil

5.3MEDIUM

CVE-2021-23336

>= 2.2 and < 2.2.19

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and bef

5.9MEDIUM

CVE-2021-3281

>= 2.2 and < 2.2.18

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp -

5.3MEDIUM

CVE-2020-24584

>= 2.2 and < 2.2.16

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The inter

7.5HIGH

CVE-2020-24583

>= 2.2 and < 2.2.16

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLO

7.5HIGH

CVE-2020-13596

>= 2.2 and < 2.2.13

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKe

6.1MEDIUM

CVE-2020-13254

>= 2.2 and < 2.2.13

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key

5.9MEDIUM

CVE-2020-9402

>= 1.11 and < 1.11.29

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance

8.8HIGH

CVE-2020-7471

>= 1.11 and < 1.11.28

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg

9.8CRITICAL

CVE-2019-19844

< 1.11.27

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is e

9.8CRITICAL

CVE-2019-19118

>= 2.1 and < 2.1.15

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related mode

6.5MEDIUM

CVE-2019-14234

>= 1.11 and < 1.11.23

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow k

9.8CRITICAL

CVE-2019-14235

>= 1.11 and < 1.11.23

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, dj

7.5HIGH

CVE-2019-14233

>= 1.11 and < 1.11.23

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the

7.5HIGH

CVE-2019-14232

>= 1.11 and < 1.11.23

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncat

7.5HIGH

CVE-2019-12781

>= 1.11 and < 1.11.22

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected

5.3MEDIUM

CVE-2019-12308

>= 1.11 and < 1.11.21

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value dis

6.1MEDIUM

CVE-2019-6975

>= 1.11.0 and < 1.11.19

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious a

7.5HIGH

CVE-2019-3498

>= 1.11 and < 1.11.18

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Ou

6.5MEDIUM

CVE-2018-16984

>= 2.1 and < 2.1.2

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts

4.9MEDIUM

CVE-2018-14574

>= 1.11 and < 1.11.15

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.

6.1MEDIUM

CVE-2018-7537

>= 1.8 and < 1.8.19

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's c

5.3MEDIUM

CVE-2018-7536

>= 1.8 and < 1.8.19

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() fun

5.3MEDIUM

CVE-2018-6188

all versions

django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain

7.5HIGH

CVE-2017-12794

all versions

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the techn

6.1MEDIUM

CVE-2017-7234

all versions

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views

6.1MEDIUM

CVE-2017-7233

all versions

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an

6.1MEDIUM

CVE-2016-9014

all versions

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attack

8.1HIGH

CVE-2016-9013

all versions

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user c

9.8CRITICAL

CVE-2016-7401

<= 1.8.14

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote

7.5HIGH

CVE-2016-6186

<= 1.8.13

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/Re

6.1MEDIUM

CVE-2016-2513

all versions

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate

3.1LOW

CVE-2016-2512

all versions

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to ar

7.4HIGH

CVE-2016-2048

all versions

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access res

5.5MEDIUM

CVE-2015-8213

<= 1.7.10

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 migh

CVE-2015-5964

all versions

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.

CVE-2015-5963

all versions

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly

CVE-2015-5145

all versions

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via un

CVE-2015-5144

<= 1.4.20

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which

CVE-2015-5143

all versions

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attack

CVE-2015-3982

all versions

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows

CVE-2015-2317

<= 1.4.19

The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c

CVE-2015-2316

all versions

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain v

CVE-2015-2241

<= 1.7.5

Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2

CVE-2015-0222

<= 1.4.17

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows rem

CVE-2015-0221

<= 1.4.17

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line

CVE-2015-0220

<= 1.4.17

The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly h

CVE-2015-0219

<= 1.4.17

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (und

CVE-2014-0483

<= 1.4.13

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before relea

CVE-2014-0482

<= 1.4.13

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1

CVE-2014-0481

<= 1.4.13

The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and

CVE-2014-0480

<= 1.4.13

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release can

CVE-2014-3730

all versions

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 do

CVE-2014-1418

all versions

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie

CVE-2014-0474

<= 1.4.10

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before

CVE-2014-0473

<= 1.4.10

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached

CVE-2014-0472

<= 1.4.10

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.

CVE-2013-6044

all versions

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's s

CVE-2013-4249

all versions

Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.

CVE-2013-1443

all versions

The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 a

CVE-2013-4315

all versions

Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote atta

CVE-2013-0306

all versions

The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to b

CVE-2013-0305

all versions

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check

CVE-2012-4520

all versions

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to gener

CVE-2012-3444

<= 1.3

The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constan

CVE-2012-3443

<= 1.3

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image d

CVE-2012-3442

< 1.3.2

The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.

CVE-2011-4140

<= 1.2.6

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations s

CVE-2011-4139

<= 1.2.6

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, whi

CVE-2011-4138

<= 1.2.6

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a UR

CVE-2011-4137

<= 1.2.6

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libr

CVE-2011-4136

<= 1.2.6

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root nam

CVE-2011-0698

all versions

Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to r

CVE-2011-0697

all versions

Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to injec

CVE-2011-0696

all versions

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header,

CVE-2010-4535

<= 1.1.2

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 do

CVE-2010-4534

<= 1.1.2

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does

CVE-2010-3082

all versions

Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HT

CVE-2009-3695

all versions

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers

CVE-2009-2659

all versions

The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static

CVE-2008-3909

>= 0.91 and < 0.91.3

The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after s

CVE-2008-2302

all versions

Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 be

CVE-2007-5828

all versions

Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of a

CVE-2007-5712

all versions

The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, w

CVE-2007-0405

all versions

The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which al

CVE-2007-0404

all versions

bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system fu

djangoproject django