rpm package
opensuse/python-Django&distro=openSUSE Leap 16.0
pkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2016.0
Vulnerabilities (22)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-8404 | Low | 3.1 | < 5.2.4-bp160.9.1 | 5.2.4-bp160.9.1 | Jun 3, 2026 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached | |
| CVE-2026-7666 | Low | 3.1 | < 5.2.4-bp160.9.1 | 5.2.4-bp160.9.1 | Jun 3, 2026 | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path netwo | |
| CVE-2026-6873 | Low | 3.1 | < 5.2.4-bp160.9.1 | 5.2.4-bp160.9.1 | Jun 3, 2026 | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context diff | |
| CVE-2026-48587 | Low | 3.1 | < 5.2.4-bp160.9.1 | 5.2.4-bp160.9.1 | Jun 3, 2026 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses vi | |
| CVE-2026-35193 | Low | 3.1 | < 5.2.4-bp160.9.1 | 5.2.4-bp160.9.1 | Jun 3, 2026 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote att | |
| CVE-2026-4292 | Low | 2.7 | < 5.2.4-bp160.7.1 | 5.2.4-bp160.7.1 | Apr 7, 2026 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3. | |
| CVE-2026-4277 | Cri | 9.8 | < 5.2.4-bp160.7.1 | 5.2.4-bp160.7.1 | Apr 7, 2026 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2 | |
| CVE-2026-3902 | Hig | 7.5 | < 5.2.4-bp160.7.1 | 5.2.4-bp160.7.1 | Apr 7, 2026 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlie | |
| CVE-2026-33034 | Hig | 7.5 | < 5.2.4-bp160.7.1 | 5.2.4-bp160.7.1 | Apr 7, 2026 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an | |
| CVE-2026-33033 | Med | 6.5 | < 5.2.4-bp160.7.1 | 5.2.4-bp160.7.1 | Apr 7, 2026 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Dj | |
| CVE-2026-25674 | — | < 5.2.4-bp160.6.1 | 5.2.4-bp160.6.1 | Mar 3, 2026 | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, w | ||
| CVE-2025-14550 | — | < 5.2.4-bp160.5.1 | 5.2.4-bp160.5.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, an | ||
| CVE-2026-1312 | — | < 5.2.4-bp160.5.1 | 5.2.4-bp160.5.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `Filtered | ||
| CVE-2026-1287 | — | < 5.2.4-bp160.5.1 | 5.2.4-bp160.5.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` m | ||
| CVE-2026-1285 | — | < 5.2.4-bp160.5.1 | 5.2.4-bp160.5.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause | ||
| CVE-2026-1207 | — | < 5.2.4-bp160.5.1 | 5.2.4-bp160.5.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and | ||
| CVE-2025-13473 | — | < 5.2.4-bp160.5.1 | 5.2.4-bp160.5.1 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Djang | ||
| CVE-2025-64460 | — | < 5.2.4-bp160.4.1 | 5.2.4-bp160.4.1 | Dec 2, 2025 | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via | ||
| CVE-2025-13372 | — | < 5.2.4-bp160.4.1 | 5.2.4-bp160.4.1 | Dec 2, 2025 | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet. | ||
| CVE-2025-64459 | — | < 5.2.4-bp160.4.1 | 5.2.4-bp160.4.1 | Nov 5, 2025 | An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansio |
- affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached
- affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path netwo
- affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context diff
- affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses vi
- affected < 5.2.4-bp160.9.1fixed 5.2.4-bp160.9.1
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote att
- affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.
- affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2
- affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlie
- affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an
- affected < 5.2.4-bp160.7.1fixed 5.2.4-bp160.7.1
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Dj
- CVE-2026-25674Mar 3, 2026affected < 5.2.4-bp160.6.1fixed 5.2.4-bp160.6.1
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, w
- CVE-2025-14550Feb 3, 2026affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, an
- CVE-2026-1312Feb 3, 2026affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `Filtered
- CVE-2026-1287Feb 3, 2026affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` m
- CVE-2026-1285Feb 3, 2026affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause
- CVE-2026-1207Feb 3, 2026affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and
- CVE-2025-13473Feb 3, 2026affected < 5.2.4-bp160.5.1fixed 5.2.4-bp160.5.1
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Djang
- CVE-2025-64460Dec 2, 2025affected < 5.2.4-bp160.4.1fixed 5.2.4-bp160.4.1
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via
- CVE-2025-13372Dec 2, 2025affected < 5.2.4-bp160.4.1fixed 5.2.4-bp160.4.1
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.
- CVE-2025-64459Nov 5, 2025affected < 5.2.4-bp160.4.1fixed 5.2.4-bp160.4.1
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansio
Page 1 of 2