CVE-2026-1287
- EPSS 0.75%
- Veröffentlicht 03.02.2026 14:36:03
- Zuletzt bearbeitet 30.06.2026 03:17:15
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**...
CVE-2026-1285
- EPSS 0.99%
- Veröffentlicht 03.02.2026 14:35:50
- Zuletzt bearbeitet 04.02.2026 17:09:01
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters all...
CVE-2026-1207
- EPSS 9.44%
- Veröffentlicht 03.02.2026 14:35:33
- Zuletzt bearbeitet 30.06.2026 03:17:15
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django ser...
CVE-2025-13473
- EPSS 0.71%
- Veröffentlicht 03.02.2026 14:32:26
- Zuletzt bearbeitet 04.02.2026 17:10:36
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing atta...
CVE-2025-64460
- EPSS 2.14%
- Veröffentlicht 02.12.2025 15:15:34
- Zuletzt bearbeitet 10.12.2025 21:47:14
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering...
CVE-2025-13372
- EPSS 0.9%
- Veröffentlicht 02.12.2025 15:13:35
- Zuletzt bearbeitet 12.12.2025 12:57:23
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `Quer...
CVE-2025-64459
- EPSS 19.4%
- Veröffentlicht 05.11.2025 15:15:41
- Zuletzt bearbeitet 10.11.2025 18:25:59
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictio...
CVE-2025-64458
- EPSS 1.93%
- Veröffentlicht 05.11.2025 15:15:40
- Zuletzt bearbeitet 10.11.2025 18:33:02
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcu...
CVE-2025-59682
- EPSS 0.85%
- Veröffentlicht 01.10.2025 19:15:37
- Zuletzt bearbeitet 04.11.2025 22:16:35
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal vi...
CVE-2025-59681
- EPSS 0.58%
- Veröffentlicht 01.10.2025 19:15:36
- Zuletzt bearbeitet 04.11.2025 22:16:35
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably craf...