CVE-2026-35192
- EPSS 0.54%
- Veröffentlicht 05.05.2026 16:16:12
- Zuletzt bearbeitet 07.05.2026 14:20:37
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a...
CVE-2026-33034
- EPSS 0.77%
- Veröffentlicht 07.04.2026 14:22:59
- Zuletzt bearbeitet 13.04.2026 17:38:35
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowin...
CVE-2026-33033
- EPSS 0.69%
- Veröffentlicht 07.04.2026 14:22:48
- Zuletzt bearbeitet 13.04.2026 17:39:05
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive white...
CVE-2026-4292
- EPSS 0.29%
- Veröffentlicht 07.04.2026 14:22:38
- Zuletzt bearbeitet 13.04.2026 17:34:48
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series...
CVE-2026-4277
- EPSS 0.46%
- Veröffentlicht 07.04.2026 14:22:25
- Zuletzt bearbeitet 13.04.2026 17:37:29
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series ...
CVE-2026-3902
- EPSS 0.44%
- Veröffentlicht 07.04.2026 14:22:07
- Zuletzt bearbeitet 13.04.2026 17:38:05
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single ve...
CVE-2026-25674
- EPSS 0.34%
- Veröffentlicht 03.03.2026 14:28:37
- Zuletzt bearbeitet 05.03.2026 14:07:03
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissi...
CVE-2026-25673
- EPSS 0.73%
- Veröffentlicht 03.03.2026 14:28:28
- Zuletzt bearbeitet 30.06.2026 03:17:43
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode ...
CVE-2025-14550
- EPSS 0.99%
- Veröffentlicht 03.02.2026 14:38:15
- Zuletzt bearbeitet 04.02.2026 17:09:58
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django se...
CVE-2026-1312
- EPSS 0.8%
- Veröffentlicht 03.02.2026 14:36:23
- Zuletzt bearbeitet 30.06.2026 03:17:16
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionar...