9.8

CVE-2026-4277

EPSS 0.02%
Veröffentlicht 07.04.2026 14:22:25
Zuletzt bearbeitet 13.04.2026 17:37:29
Quelle 6a34fbeb-21d4-45e7-8e0a-62b95b
CVE-Watchlists
Login
Unerledigt
Login

Privilege abuse in GenericInlineModelAdmin

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Add permissions on inline model instances were not validated on submission of
forged `POST` data in `GenericInlineModelAdmin`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Djangoproject ≫ Django Version >= 4.2 < 4.2.30

Djangoproject ≫ Django Version >= 5.2 < 5.2.13

Djangoproject ≫ Django Version >= 6.0 < 6.0.4

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.062

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://docs.djangoproject.com/en/dev/releases/security/

Patch

Vendor Advisory

https://groups.google.com/g/django-announce

Release Notes

https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-4277

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-4277

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-4277

EUVD