Djangoproject

Django

153 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.54%
  • Veröffentlicht 05.05.2026 16:16:12
  • Zuletzt bearbeitet 07.05.2026 14:20:37

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a...

  • EPSS 0.77%
  • Veröffentlicht 07.04.2026 14:22:59
  • Zuletzt bearbeitet 13.04.2026 17:38:35

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowin...

  • EPSS 0.69%
  • Veröffentlicht 07.04.2026 14:22:48
  • Zuletzt bearbeitet 13.04.2026 17:39:05

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive white...

  • EPSS 0.29%
  • Veröffentlicht 07.04.2026 14:22:38
  • Zuletzt bearbeitet 13.04.2026 17:34:48

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series...

  • EPSS 0.46%
  • Veröffentlicht 07.04.2026 14:22:25
  • Zuletzt bearbeitet 13.04.2026 17:37:29

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series ...

  • EPSS 0.44%
  • Veröffentlicht 07.04.2026 14:22:07
  • Zuletzt bearbeitet 13.04.2026 17:38:05

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single ve...

  • EPSS 0.34%
  • Veröffentlicht 03.03.2026 14:28:37
  • Zuletzt bearbeitet 05.03.2026 14:07:03

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissi...

  • EPSS 0.73%
  • Veröffentlicht 03.03.2026 14:28:28
  • Zuletzt bearbeitet 30.06.2026 03:17:43

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode ...

  • EPSS 0.99%
  • Veröffentlicht 03.02.2026 14:38:15
  • Zuletzt bearbeitet 04.02.2026 17:09:58

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django se...

  • EPSS 0.8%
  • Veröffentlicht 03.02.2026 14:36:23
  • Zuletzt bearbeitet 30.06.2026 03:17:16

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionar...