VYPR

rpm package

opensuse/python-Django4&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweed

Vulnerabilities (89)

  • CVE-2026-8404LowJun 3, 2026
    affected < 4.2.30-3.1fixed 4.2.30-3.1

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached

  • CVE-2026-7666LowJun 3, 2026
    affected < 4.2.30-3.1fixed 4.2.30-3.1

    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path netwo

  • CVE-2026-6873LowJun 3, 2026
    affected < 4.2.30-3.1fixed 4.2.30-3.1

    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context diff

  • CVE-2026-48587LowJun 3, 2026
    affected < 4.2.30-3.1fixed 4.2.30-3.1

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses vi

  • CVE-2026-35193LowJun 3, 2026
    affected < 4.2.30-3.1fixed 4.2.30-3.1

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote att

  • CVE-2026-6907MedMay 5, 2026
    affected < 4.2.30-2.1fixed 4.2.30-2.1

    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django

  • CVE-2026-5766MedMay 5, 2026
    affected < 4.2.30-2.1fixed 4.2.30-2.1

    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminde

  • CVE-2026-35192MedMay 5, 2026
    affected < 4.2.30-2.1fixed 4.2.30-2.1

    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier,

  • CVE-2026-4292LowApr 7, 2026
    affected < 4.2.30-1.1fixed 4.2.30-1.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.

  • CVE-2026-4277CriApr 7, 2026
    affected < 4.2.30-1.1fixed 4.2.30-1.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2

  • CVE-2026-3902HigApr 7, 2026
    affected < 4.2.30-1.1fixed 4.2.30-1.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlie

  • CVE-2026-33034HigApr 7, 2026
    affected < 4.2.30-1.1fixed 4.2.30-1.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an

  • CVE-2026-33033MedApr 7, 2026
    affected < 4.2.30-1.1fixed 4.2.30-1.1

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Dj

  • CVE-2026-25674Mar 3, 2026
    affected < 4.2.29-1.1fixed 4.2.29-1.1

    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, w

  • CVE-2025-14550Feb 3, 2026
    affected < 4.2.28-1.1fixed 4.2.28-1.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, an

  • CVE-2026-1312Feb 3, 2026
    affected < 4.2.28-1.1fixed 4.2.28-1.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `Filtered

  • CVE-2026-1287Feb 3, 2026
    affected < 4.2.28-1.1fixed 4.2.28-1.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` m

  • CVE-2026-1285Feb 3, 2026
    affected < 4.2.28-1.1fixed 4.2.28-1.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause

  • CVE-2026-1207Feb 3, 2026
    affected < 4.2.28-1.1fixed 4.2.28-1.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and

  • CVE-2025-13473Feb 3, 2026
    affected < 4.2.28-1.1fixed 4.2.28-1.1

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Djang

Page 1 of 5