Django Project Django Python Web Framework
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Django Project Django.
EOL Dates
Ensure that you are using a supported version of Django Project Django. Here are some end of life, and end of support dates for Django Project Django.
| Release | EOL | End of Support | Status |
|---|---|---|---|
| 6.0 | April 30, 2027 | August 31, 2026 |
Active
Django Project Django 6.0 will become EOL next year, in April 2027. |
| 5.2 | April 30, 2028 | December 3, 2025 |
Active
Django Project Django 5.2 will become EOL in two years (in 2028). |
| 5.1 | December 3, 2025 | April 2, 2025 |
EOL
Django Project Django 5.1 became EOL in 2025 and supported ended in 2025 |
| 5.0 | April 2, 2025 | August 7, 2024 |
EOL
Django Project Django 5.0 became EOL in 2025 and supported ended in 2024 |
| 4.2 | April 30, 2026 | December 4, 2023 |
EOL This Year
Django Project Django 4.2 will become EOL this year, in April 2026. |
| 4.1 | December 1, 2023 | April 5, 2023 |
EOL
Django Project Django 4.1 became EOL in 2023 and supported ended in 2023 |
| 4.0 | April 1, 2023 | August 3, 2022 |
EOL
Django Project Django 4.0 became EOL in 2023 and supported ended in 2022 |
| 3.2 | April 1, 2024 | December 7, 2021 |
EOL
Django Project Django 3.2 became EOL in 2024 and supported ended in 2021 |
| 3.1 | December 7, 2021 | April 6, 2021 |
EOL
Django Project Django 3.1 became EOL in 2021 and supported ended in 2021 |
| 3.0 | April 6, 2021 | August 3, 2020 |
EOL
Django Project Django 3.0 became EOL in 2021 and supported ended in 2020 |
| 2.2 | April 11, 2022 | December 2, 2019 |
EOL
Django Project Django 2.2 became EOL in 2022 and supported ended in 2019 |
| 2.1 | December 2, 2019 | April 1, 2019 |
EOL
Django Project Django 2.1 became EOL in 2019 and supported ended in 2019 |
| 2.0 | April 1, 2019 | August 1, 2018 |
EOL
Django Project Django 2.0 became EOL in 2019 and supported ended in 2018 |
| 1.11 | April 1, 2020 | December 2, 2017 |
EOL
Django Project Django 1.11 became EOL in 2020 and supported ended in 2017 |
| 1.10 | December 2, 2017 | April 4, 2017 |
EOL
Django Project Django 1.10 became EOL in 2017 and supported ended in 2017 |
| 1.9 | April 4, 2017 | August 1, 2016 |
EOL
Django Project Django 1.9 became EOL in 2017 and supported ended in 2016 |
| 1.8 | April 1, 2018 | December 1, 2015 |
EOL
Django Project Django 1.8 became EOL in 2018 and supported ended in 2015 |
| 1.7 | December 1, 2015 | April 1, 2015 |
EOL
Django Project Django 1.7 became EOL in 2015 and supported ended in 2015 |
| 1.6 | April 1, 2015 | September 2, 2014 |
EOL
Django Project Django 1.6 became EOL in 2015 and supported ended in 2014 |
| 1.5 | September 2, 2014 | November 6, 2013 |
EOL
Django Project Django 1.5 became EOL in 2014 and supported ended in 2013 |
By the Year
In 2026 there have been 6 vulnerabilities in Django Project Django with an average score of 6.1 out of ten. Last year, in 2025 Django had 8 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Django in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.57
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 6 | 6.08 |
| 2025 | 8 | 6.65 |
| 2024 | 13 | 7.02 |
| 2023 | 7 | 7.96 |
| 2022 | 10 | 7.96 |
| 2021 | 8 | 6.69 |
| 2020 | 6 | 7.60 |
| 2019 | 10 | 7.40 |
| 2018 | 5 | 5.82 |
It may take a day or so for new Django vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Django Project Django Security Vulnerabilities
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28
CVE-2025-14550
7.5 - High
- February 03, 2026
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.
Inefficient Algorithmic Complexity
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28
CVE-2026-1312
5.4 - Medium
- February 03, 2026
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
SQL Injection
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28
CVE-2026-1287
5.4 - Medium
- February 03, 2026
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
SQL Injection
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28
CVE-2026-1285
7.5 - High
- February 03, 2026
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Inefficient Algorithmic Complexity
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28
CVE-2026-1207
5.4 - Medium
- February 03, 2026
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
SQL Injection
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28
CVE-2025-13473
5.3 - Medium
- February 03, 2026
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
Observable Timing Discrepancy
Django 4.2-5.2 DoS via XML Deserialization before 5.2.9
CVE-2025-64460
7.5 - High
- December 02, 2025
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Inefficient Algorithmic Complexity
Django 5.X SQLi via FilteredRelation alias pre-5.2.9,5.1.15,4.2.27
CVE-2025-13372
4.3 - Medium
- December 02, 2025
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
SQL Injection
SQLi Django 5.1/4.2/5.2 before 5.1.14/4.2.26/5.2.8 via QuerySet Q() _connector
CVE-2025-64459
9.1 - Critical
- November 05, 2025
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
SQL Injection
Django 5.x/4.2 DoS via NFKC on Windows (pre5.1.14/4.2.26/5.2.8)
CVE-2025-64458
7.5 - High
- November 05, 2025
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Inefficient Algorithmic Complexity
Django 4.2/5.x Partial Path Traversal in django.utils.archive.extract before 4.2.25/5.1.13/5.2.7
CVE-2025-59682
3.1 - Low
- October 01, 2025
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Relative Path Traversal
SQLi via QuerySet annotate/alias in Django 5.2.7
CVE-2025-59681
7.1 - High
- October 01, 2025
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
SQL Injection
Django SQLi via FilteredRelation column aliases 4.2.24, 5.1.12, 5.2.6
CVE-2025-57833
7.1 - High
- September 03, 2025
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
SQL Injection
Denial-of-Service in Django 4.2/5.x via strip_tags()
CVE-2025-32873
7.5 - High
- May 08, 2025
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Django: Denial-of-Service Vulnerability in strip_tags() Method and striptags Template Filter
CVE-2024-53907
- December 06, 2024
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
SQL Injection Vulnerability in Django's JSON Field Lookup on Oracle Database
CVE-2024-53908
- December 06, 2024
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
Django 5.1/5.0/4.2 URLize Filters DoS via Large Inputs
CVE-2024-45230
7.5 - High
- October 08, 2024
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Django 5.1.1/5.0.9/4.2.16 PasswordResetForm Email Enumeration via Failing Emails
CVE-2024-45231
5.3 - Medium
- October 08, 2024
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
SQLi in Django 5.0/4.2 via QuerySet.values() JSONField alias
CVE-2024-42005
9.8 - Critical
- August 07, 2024
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
SQL Injection
Django 4.2/5.0 Unbounded Unicode in urlize/ urlizetrunc Filters DoS (pre5.0.8/4.2.15)
CVE-2024-41991
7.5 - High
- August 07, 2024
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
length manipulation
Django 5.0|4.2 URLizeFilter DoS via Large Inputs
CVE-2024-41990
7.5 - High
- August 07, 2024
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
length manipulation
Django 5.0/4.2 floatformat Filter -> Exponential Memory Leak (CVE-2024-41989)
CVE-2024-41989
7.5 - High
- August 07, 2024
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
Resource Exhaustion
DoS via get_supported_language_variant in Django <5.0.7 & <4.2.14
CVE-2024-39614
7.5 - High
- July 10, 2024
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
length manipulation
Django 4.2<4.2.14/5.0<5.0.7 Directory Traversal via Storage.generate_filename()
CVE-2024-39330
4.3 - Medium
- July 10, 2024
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)
Directory traversal
Django Auth Timing Attack via ModelBackend.authenticate v<5.0.7/4.2.14
CVE-2024-39329
5.3 - Medium
- July 10, 2024
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
Observable Timing Discrepancy
Django 4.2/5.0 DenialofService via urlize/urlizetrunc (before 4.2.14 / 5.0.7)
CVE-2024-38875
7.5 - High
- July 10, 2024
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
length manipulation
DoS via long string in Django intcomma filter (pre 3.2.24/4.2.10/5.0.2)
CVE-2024-24680
7.5 - High
- February 06, 2024
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
DoS via uri_to_iri() in Django 3.2<3.2.21, 4.1<4.1.11, 4.2<4.2.5
CVE-2023-41164
- November 03, 2023
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Django 3.2/4.x Truncator DoS via html=True (pre5.0)
CVE-2023-43665
- November 03, 2023
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Django NFKC DoS on Windows via Auth UsernameField (3.2.23, 4.1.13, 4.2.7)
CVE-2023-46695
7.5 - High
- November 02, 2023
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Allocation of Resources Without Limits or Throttling
Django URLValidator/EmailValidator ReDoS before 3.2.20/4.1.10/4.2.3
CVE-2023-36053
7.5 - High
- July 03, 2023
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
ReDoS
Django 3.2-4.2 Multiple File Upload Validation Bypass
CVE-2023-31047
9.8 - Critical
- May 07, 2023
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Improper Input Validation
Django 3/4 Multipart Parser DoS via Excess Parts (3.2.18/4.0.10/4.1.7)
CVE-2023-24580
7.5 - High
- February 15, 2023
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
Resource Exhaustion
Django DoS: AcceptLanguage Cache Overrun (3.2.17/4.0.9/4.1.6)
CVE-2023-23969
7.5 - High
- February 01, 2023
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Allocation of Resources Without Limits or Throttling
Django <3.2.16, <4.0.8, <4.1.2 URL regex DoS via locale param
CVE-2022-41323
7.5 - High
- October 16, 2022
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
Django 3.2/4.0 RFD via FileResponse CD header before 3.2.15/4.0.7
CVE-2022-36359
8.8 - High
- August 03, 2022
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Download of Code Without Integrity Check
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6
CVE-2022-34265
9.8 - Critical
- July 04, 2022
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
SQL Injection
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4
CVE-2022-28346
9.8 - Critical
- April 12, 2022
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
SQL Injection
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4
CVE-2022-28347
9.8 - Critical
- April 12, 2022
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
SQL Injection
The {% debug %} template tag in Django 2.2 before 2.2.27
CVE-2022-22818
6.1 - Medium
- February 03, 2022
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
XSS
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2
CVE-2022-23833
7.5 - High
- February 03, 2022
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Infinite Loop
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1
CVE-2021-45452
5.3 - Medium
- January 05, 2022
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
Directory traversal
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1
CVE-2021-45116
7.5 - High
- January 05, 2022
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
Improper Input Validation
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1
CVE-2021-45115
7.5 - High
- January 05, 2022
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
In Django 2.2 before 2.2.25
CVE-2021-44420
7.3 - High
- December 08, 2021
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5
CVE-2021-35042
9.8 - Critical
- July 02, 2021
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
SQL Injection
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs
CVE-2021-33203
4.9 - Medium
- June 08, 2021
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
Directory traversal
In Django 2.2 before 2.2.24
CVE-2021-33571
7.5 - High
- June 08, 2021
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
SSRF
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile
CVE-2021-31542
7.5 - High
- May 05, 2021
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
Directory traversal
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser
CVE-2021-28658
5.3 - Medium
- April 06, 2021
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
Directory traversal
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Django Project Django or by Django Project? Click the Watch button to subscribe.
