Medium severity5.3NVD Advisory· Published Mar 9, 2018· Updated Jun 17, 2026
CVE-2018-7536
CVE-2018-7536
Description
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 2.0a1, < 2.0.3 | 2.0.3 |
DjangoPyPI | >= 1.11a1, < 1.11.11 | 1.11.11 |
DjangoPyPI | >= 1.8a1, < 1.8.19 | 1.8.19 |
Affected products
10- ghsa-coords10 versionspkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012%20SP1
>= 2.0a1, < 2.0.3+ 9 more
- (no CPE)range: >= 2.0a1, < 2.0.3
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 3.2.7-2.3
- (no CPE)range: < 1.6.11-5.5.1
- (no CPE)range: < 1.6.11-6.5.1
- (no CPE)range: < 1.8.19-3.6.1
- (no CPE)range: < 1.8.19-3.4.1
- (no CPE)range: < 1.11.11-8.1
- (no CPE)range: < 1.11.15-2.1
Patches
Vulnerability mechanics
References
18- www.securityfocus.com/bid/103361nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2018:2927nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0051nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0082nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0265nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-r28v-mw67-m5p9ghsaADVISORY
- lists.debian.org/debian-lts-announce/2018/03/msg00006.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2018-7536ghsaADVISORY
- usn.ubuntu.com/3591-1/nvdThird Party Advisory
- www.debian.org/security/2018/dsa-4161nvdThird Party AdvisoryWEB
- www.djangoproject.com/weblog/2018/mar/06/security-releases/nvdRelease NotesVendor Advisory
- github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2nvdWEB
- github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16nvdWEB
- github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-5.yamlghsaWEB
- usn.ubuntu.com/3591-1ghsaWEB
- web.archive.org/web/20200227131019/http://www.securityfocus.com/bid/103361ghsaWEB
- www.djangoproject.com/weblog/2018/mar/06/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.