Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Django — Vulnerabilities & Security Advisories 36

All 36 CVE vulnerabilities found in Django, with AI-generated Chinese analysis, references, and POCs.

This page aggregates known security weaknesses for the Django web framework, a Python-based product developed by the Django Software Foundation. The collection includes vulnerabilities categorized under common weakness types such as cross-site scripting, injection flaws, and insecure configuration settings. These entries cover advisory data released between 2015 and 2024, ensuring a comprehensive historical view of the platform's security landscape. Visitors to this resource can track vendor advisories to stay informed about critical patches and updates issued by the Django team. You can also understand specific weakness classes by examining detailed descriptions, impact assessments, and remediation strategies associated with each finding. Additionally, the page allows you to look up the product's vulnerability history, providing a chronological timeline of security incidents and their resolution status. This structured approach helps developers, security auditors, and system administrators assess risks accurately. By consolidating diverse sources into a single view, the page eliminates the need to search multiple repositories or mailing lists. Users can compare severity scores, review affected versions, and verify if their deployment instances require immediate attention. The data is presented in a neutral, factual manner to support informed decision-making. Whether you are conducting a routine security audit or responding to a new threat, this aggregation serves as a reliable reference for understanding the security posture of Django over time.

Vendor: djangoproject

CVE IDTitleCVSSSeverityPublished
CVE-2026-53878 Header injection possibility since DomainNameValidator accepted newlines in input CWE-144 6.1 Medium2026-07-07
CVE-2026-53877 Heap buffer over-read in GDALRaster CWE-805 4.8 Medium2026-07-07
CVE-2026-48588 Potential exposure of private data via cached Set-Cookie response CWE-524 4.2 Low2026-07-07
CVE-2026-48587 Potential exposure of private data via whitespace padding in Vary header CWE-1023 3.1 Low2026-06-03
CVE-2026-35193 Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware CWE-524 3.1 Low2026-06-03
CVE-2026-8404 Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware CWE-178 3.1 Low2026-06-03
CVE-2026-7666 Potential unencrypted email transmission via STARTTLS in the SMTP backend CWE-319 3.1 Low2026-06-03
CVE-2026-6873 Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie CWE-347 3.1 Low2026-06-03
CVE-2026-35192 Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST CWE-539 7.6 -2026-05-05
CVE-2026-6907 Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware CWE-524 4.3 Medium2026-05-05
CVE-2026-5766 Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass CWE-130 5.3 Medium2026-05-05
CVE-2026-33034 Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass CWE-770 7.5AIHighAI2026-04-07
CVE-2026-33033 Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload CWE-407 5.3AIMediumAI2026-04-07
CVE-2026-4292 Privilege abuse in ModelAdmin.list_editable CWE-862 9.1AICriticalAI2026-04-07
CVE-2026-4277 Privilege abuse in GenericInlineModelAdmin CWE-862 9.8AICriticalAI2026-04-07
CVE-2026-3902 ASGI header spoofing via underscore/hyphen conflation CWE-290 5.3AIMediumAI2026-04-07
CVE-2026-25674 Potential incorrect permissions on newly created file system objects CWE-362 6.5 -2026-03-03
CVE-2026-25673 Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows CWE-400 7.5AIHighAI2026-03-03
CVE-2025-14550 Potential denial-of-service vulnerability via repeated headers when using ASGI CWE-407 7.5 -2026-02-03
CVE-2026-1312 Potential SQL injection via QuerySet.order_by and FilteredRelation CWE-89 9.8 -2026-02-03
CVE-2026-1287 Potential SQL injection in column aliases via control characters CWE-89 9.8 -2026-02-03
CVE-2026-1285 Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods CWE-407 7.5 -2026-02-03
CVE-2026-1207 Potential SQL injection via raster lookups on PostGIS CWE-89 9.8 -2026-02-03
CVE-2025-13473 Username enumeration through timing difference in mod_wsgi authentication handler CWE-208 3.7 -2026-02-03
CVE-2025-64460 Potential denial-of-service vulnerability in XML serializer text extraction CWE-407 7.5AIHighAI2025-12-02
CVE-2025-13372 Potential SQL injection in FilteredRelation column aliases on PostgreSQL CWE-89 9.8AICriticalAI2025-12-02
CVE-2025-64459 Potential SQL injection via _connector keyword argument in QuerySet and Q objects CWE-89 9.8 -2025-11-05
CVE-2025-64458 Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows CWE-407 7.5 -2025-11-05
CVE-2025-59681 Django SQL注入漏洞 CWE-89 7.1 High2025-10-01
CVE-2025-59682 Django 安全漏洞 CWE-23 3.1 Low2025-10-01

All 36 known CVE vulnerabilities affecting Django with full Chinese analysis, references, and POCs where available.