VYPR
Vendor

Djangoproject

Products
5
CVEs
126
Across products
126
Status
Private

Products

5

Recent CVEs

126
View all 126 CVEs →
  • CVE-2026-4277CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.00

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and…

  • CVE-2016-9013CriDec 9, 2016
    risk 0.57cvss 9.8epss 0.05

    Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging…

  • CVE-2016-9014HigDec 9, 2016
    risk 0.46cvss 8.1epss 0.06

    Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

  • CVE-2026-3902HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.00

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.…

  • CVE-2026-33034HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an…

  • CVE-2016-2512HigApr 8, 2016
    risk 0.41cvss 7.4epss 0.04

    The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as…

  • CVE-2016-6186MedAug 5, 2016
    risk 0.36cvss 6.1epss 0.06

    Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script…

  • CVE-2026-35192MedMay 5, 2026
    risk 0.35cvss 6.5epss 0.01

    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier,…

  • CVE-2026-33033MedApr 7, 2026
    risk 0.35cvss 6.5epss 0.01

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported…

  • CVE-2017-12794MedSep 7, 2017
    risk 0.35cvss 6.1epss 0.24

    In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production…

  • CVE-2026-44545MedJun 3, 2026
    risk 0.34cvss 5.3epss 0.00

    daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing…

  • CVE-2026-34231MedMar 31, 2026
    risk 0.33cvss 6.1epss 0.00

    Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is…

  • CVE-2017-7234MedApr 4, 2017
    risk 0.33cvss 6.1epss 0.02

    A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.

  • CVE-2017-7233MedApr 4, 2017
    risk 0.33cvss 6.1epss 0.02

    Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they…

  • CVE-2016-2048MedFeb 8, 2016
    risk 0.29cvss 5.5epss 0.02

    Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

  • CVE-2026-5766MedMay 5, 2026
    risk 0.27cvss 5.3epss 0.00

    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a…

  • CVE-2026-44546LowJun 3, 2026
    risk 0.24cvss 3.7epss 0.00

    daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and…

  • CVE-2026-6907MedMay 5, 2026
    risk 0.21cvss 4.3epss 0.00

    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported…

  • CVE-2026-8404LowJun 3, 2026
    risk 0.20cvss 3.1epss 0.00

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached…

  • CVE-2026-7666LowJun 3, 2026
    risk 0.20cvss 3.1epss 0.00

    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path…