Medium severity5.5NVD Advisory· Published Feb 8, 2016· Updated Jun 17, 2026
CVE-2016-2048
CVE-2016-2048
Description
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.9, < 1.9.2 | 1.9.2 |
Affected products
3cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-46x4-9jmv-jc8pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-2048ghsaADVISORY
- github.com/django/django/commit/adbca5e4db42542575734b8e5d26961c8ada7265ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-14.yamlghsaWEB
- web.archive.org/web/20210123075529/http://www.securityfocus.com/bid/82329ghsaWEB
- web.archive.org/web/20211204051406/http://www.securitytracker.com/id/1034894ghsaWEB
- www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189ghsaWEB
- www.securityfocus.com/bid/82329nvd
- www.securitytracker.com/id/1034894nvd
- www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/nvd
News mentions
0No linked articles in our index yet.