Djangoproject

Django

153 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.75%
  • Veröffentlicht 03.02.2026 14:36:03
  • Zuletzt bearbeitet 30.06.2026 03:17:15

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**...

  • EPSS 0.99%
  • Veröffentlicht 03.02.2026 14:35:50
  • Zuletzt bearbeitet 04.02.2026 17:09:01

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters all...

  • EPSS 9.44%
  • Veröffentlicht 03.02.2026 14:35:33
  • Zuletzt bearbeitet 30.06.2026 03:17:15

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django ser...

  • EPSS 0.71%
  • Veröffentlicht 03.02.2026 14:32:26
  • Zuletzt bearbeitet 04.02.2026 17:10:36

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing atta...

  • EPSS 2.14%
  • Veröffentlicht 02.12.2025 15:15:34
  • Zuletzt bearbeitet 10.12.2025 21:47:14

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering...

  • EPSS 0.9%
  • Veröffentlicht 02.12.2025 15:13:35
  • Zuletzt bearbeitet 12.12.2025 12:57:23

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `Quer...

Exploit
  • EPSS 19.4%
  • Veröffentlicht 05.11.2025 15:15:41
  • Zuletzt bearbeitet 10.11.2025 18:25:59

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictio...

  • EPSS 1.93%
  • Veröffentlicht 05.11.2025 15:15:40
  • Zuletzt bearbeitet 10.11.2025 18:33:02

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcu...

  • EPSS 0.85%
  • Veröffentlicht 01.10.2025 19:15:37
  • Zuletzt bearbeitet 04.11.2025 22:16:35

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal vi...

  • EPSS 0.58%
  • Veröffentlicht 01.10.2025 19:15:36
  • Zuletzt bearbeitet 04.11.2025 22:16:35

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably craf...