VYPR

rpm package

opensuse/python-Django&distro=openSUSE Leap 16.0

pkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2016.0

Vulnerabilities (22)

  • CVE-2026-8404LowJun 3, 2026
    affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached

  • CVE-2026-7666LowJun 3, 2026
    affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1

    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path netwo

  • CVE-2026-6873LowJun 3, 2026
    affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1

    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context diff

  • CVE-2026-48587LowJun 3, 2026
    affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses vi

  • CVE-2026-35193LowJun 3, 2026
    affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote att

  • CVE-2026-4292LowApr 7, 2026
    affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.

  • CVE-2026-4277CriApr 7, 2026
    affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2

  • CVE-2026-3902HigApr 7, 2026
    affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlie

  • CVE-2026-33034HigApr 7, 2026
    affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an

  • CVE-2026-33033MedApr 7, 2026
    affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Dj

  • CVE-2026-25674Mar 3, 2026
    affected < 5.2.4-bp160.6.1fixed 5.2.4-bp160.6.1

    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, w

  • CVE-2025-14550Feb 3, 2026
    affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, an

  • CVE-2026-1312Feb 3, 2026
    affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `Filtered

  • CVE-2026-1287Feb 3, 2026
    affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` m

  • CVE-2026-1285Feb 3, 2026
    affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause

  • CVE-2026-1207Feb 3, 2026
    affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and

  • CVE-2025-13473Feb 3, 2026
    affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Djang

  • CVE-2025-64460Dec 2, 2025
    affected < 5.2.4-bp160.4.1fixed 5.2.4-bp160.4.1

    An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via

  • CVE-2025-13372Dec 2, 2025
    affected < 5.2.4-bp160.4.1fixed 5.2.4-bp160.4.1

    An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.

  • CVE-2025-64459Nov 5, 2025
    affected < 5.2.4-bp160.4.1fixed 5.2.4-bp160.4.1

    An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansio

Page 1 of 2