Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Vulnerabilities
| Vulnerability |
Severity |
CVSS |
Dependency |
Type |
Fixed in (Django version) |
Remediation Possible** |
| CVE-2026-4277 |
Critical |
9.8 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.30 |
❌ |
| CVE-2025-64459 |
Critical |
9.1 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.26 |
❌ |
| CVE-2026-3902 |
High |
7.5 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.30 |
❌ |
| CVE-2026-33034 |
High |
7.5 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.30 |
❌ |
| CVE-2026-25673 |
High |
7.5 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.29 |
❌ |
| CVE-2026-1285 |
High |
7.5 |
Django-4.2.18-py3-none-any.whl |
Direct |
https://github.com/django/django.git - 4.2.28,https://github.com/django/django.git - 6.0.2,django - 6.0.2,https://github.com/django/django.git - 5.2.11,django - 6.0.2 |
❌ |
| CVE-2025-64460 |
High |
7.5 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.27 |
❌ |
| CVE-2025-64458 |
High |
7.5 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.26 |
❌ |
| CVE-2025-14550 |
High |
7.5 |
Django-4.2.18-py3-none-any.whl |
Direct |
https://github.com/django/django.git - 4.2.28,django - 6.0.2,https://github.com/django/django.git - 6.0.2,https://github.com/django/django.git - 5.2.11,django - 6.0.2 |
❌ |
| CVE-2025-59681 |
High |
7.1 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.25 |
❌ |
| CVE-2026-33033 |
Medium |
6.5 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.30 |
❌ |
| CVE-2026-1312 |
Medium |
5.4 |
Django-4.2.18-py3-none-any.whl |
Direct |
https://github.com/django/django.git - 4.2.28,https://github.com/django/django.git - 5.2.11,django - 6.0.2,https://github.com/django/django.git - 6.0.2,django - 6.0.2 |
❌ |
| CVE-2026-1287 |
Medium |
5.4 |
Django-4.2.18-py3-none-any.whl |
Direct |
https://github.com/django/django.git - 6.0.2,https://github.com/django/django.git - 5.2.11,https://github.com/django/django.git - 4.2.28 |
❌ |
| CVE-2026-1207 |
Medium |
5.4 |
Django-4.2.18-py3-none-any.whl |
Direct |
https://github.com/django/django.git - 6.0.2,django - 6.0.2,https://github.com/django/django.git - 5.2.11,https://github.com/django/django.git - 4.2.28,django - 6.0.2 |
❌ |
| CVE-2025-13473 |
Medium |
5.3 |
Django-4.2.18-py3-none-any.whl |
Direct |
https://github.com/django/django.git - 4.2.28,https://github.com/django/django.git - 6.0.2,https://github.com/django/django.git - 5.2.11,django - 6.0.2,django - 6.0.2 |
❌ |
| CVE-2025-13372 |
Medium |
4.3 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.27 |
❌ |
| CVE-2026-25674 |
Low |
3.7 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.29 |
❌ |
| CVE-2025-59682 |
Low |
3.1 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.25 |
❌ |
| CVE-2026-4292 |
Low |
2.7 |
Django-4.2.18-py3-none-any.whl |
Direct |
4.2.30 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-4277
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Add permissions on inline model instances were not validated on submission of forged "POST" data in "GenericInlineModelAdmin".
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-4277
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here
CVE-2025-64459
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods "QuerySet.filter()", "QuerySet.exclude()", and "QuerySet.get()", and the class "Q()", are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the "_connector" argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64459
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-05
Fix Resolution: 4.2.26
Step up your Open Source Security Game with Mend here
CVE-2026-3902
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
"ASGIRequest" allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-3902
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2026/apr/07/security-releases/
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here
CVE-2026-33034
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGI requests with a missing or understated "Content-Length" header could bypass the "DATA_UPLOAD_MAX_MEMORY_SIZE" limit when reading "HttpRequest.body", allowing remote attackers to load an unbounded request body into memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-33034
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2026/apr/07/security-releases/
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here
CVE-2026-25673
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
"URLField.to_python()" in Django calls "urllib.parse.urlsplit()", which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2026-03-03
URL: CVE-2026-25673
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2026/mar/03/security-releases/
Release Date: 2026-03-03
Fix Resolution: 4.2.29
Step up your Open Source Security Game with Mend here
CVE-2026-1285
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
"django.utils.text.Truncator.chars()" and "Truncator.words()" methods (with "html=True") and the "truncatechars_html" and "truncatewords_html" template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2026-1285
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4rrr-2h4v-f3j9
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 4.2.28,https://github.com/django/django.git - 6.0.2,django - 6.0.2,https://github.com/django/django.git - 5.2.11,django - 6.0.2
Step up your Open Source Security Game with Mend here
CVE-2025-64460
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in "django.core.serializers.xml_serializer.getInnerText()" allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML "Deserializer".
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2025-12-02
URL: CVE-2025-64460
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
Release Date: 2025-12-02
Fix Resolution: 4.2.27
Step up your Open Source Security Game with Mend here
CVE-2025-64458
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, "django.http.HttpResponseRedirect", "django.http.HttpResponsePermanentRedirect", and the shortcut "django.shortcuts.redirect" were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64458
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qw25-v68c-qjf3
Release Date: 2025-11-05
Fix Resolution: 4.2.26
Step up your Open Source Security Game with Mend here
CVE-2025-14550
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
"ASGIRequest" allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Jiyong Yang for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2025-14550
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-33mw-q7rj-mjwj
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 4.2.28,django - 6.0.2,https://github.com/django/django.git - 6.0.2,https://github.com/django/django.git - 5.2.11,django - 6.0.2
Step up your Open Source Security Game with Mend here
CVE-2025-59681
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Publish Date: 2025-10-01
URL: CVE-2025-59681
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hpr9-3m2g-3j9p
Release Date: 2025-10-01
Fix Resolution: 4.2.25
Step up your Open Source Security Game with Mend here
CVE-2026-33033
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
"MultiPartParser" allows remote attackers to degrade performance by submitting multipart uploads with "Content-Transfer-Encoding: base64" including excessive whitespace.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-33033
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here
CVE-2026-1312
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
".QuerySet.order_by()" is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in "FilteredRelation".
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2026-1312
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 4.2.28,https://github.com/django/django.git - 5.2.11,django - 6.0.2,https://github.com/django/django.git - 6.0.2,django - 6.0.2
Step up your Open Source Security Game with Mend here
CVE-2026-1287
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
"FilteredRelation" is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the "**kwargs" passed to "QuerySet" methods "annotate()", "aggregate()", "extra()", "values()", "values_list()", and "alias()".
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2026-1287
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 6.0.2,https://github.com/django/django.git - 5.2.11,https://github.com/django/django.git - 4.2.28
Step up your Open Source Security Game with Mend here
CVE-2026-1207
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on "RasterField" (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-03
URL: CVE-2026-1207
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mwm9-4648-f68q
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 6.0.2,django - 6.0.2,https://github.com/django/django.git - 5.2.11,https://github.com/django/django.git - 4.2.28,django - 6.0.2
Step up your Open Source Security Game with Mend here
CVE-2025-13473
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
The "django.contrib.auth.handlers.modwsgi.check_password()" function for authentication via "mod_wsgi" allows remote attackers to enumerate users via a timing attack.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2025-13473
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2mcm-79hx-8fxw
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 4.2.28,https://github.com/django/django.git - 6.0.2,https://github.com/django/django.git - 5.2.11,django - 6.0.2,django - 6.0.2
Step up your Open Source Security Game with Mend here
CVE-2025-13372
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
"FilteredRelation" is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the "**kwargs" passed to "QuerySet.annotate()" or "QuerySet.alias()" on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Publish Date: 2025-12-02
URL: CVE-2025-13372
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://docs.djangoproject.com/en/dev/releases/security/
Release Date: 2025-12-02
Fix Resolution: 4.2.27
Step up your Open Source Security Game with Mend here
CVE-2026-25674
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary "umask" change affects other threads in multi-threaded environments.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Publish Date: 2026-03-03
URL: CVE-2026-25674
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2026/mar/03/security-releases/
Release Date: 2026-03-03
Fix Resolution: 4.2.29
Step up your Open Source Security Game with Mend here
CVE-2025-59682
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Publish Date: 2025-10-01
URL: CVE-2025-59682
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q95w-c7qg-hrff
Release Date: 2025-10-01
Fix Resolution: 4.2.25
Step up your Open Source Security Game with Mend here
CVE-2026-4292
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Admin changelist forms using "ModelAdmin.list_editable" incorrectly allowed new instances to be created via forged "POST" data.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-4292
CVSS 3 Score Details (2.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Add permissions on inline model instances were not validated on submission of forged "POST" data in "GenericInlineModelAdmin".
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-4277
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods "QuerySet.filter()", "QuerySet.exclude()", and "QuerySet.get()", and the class "Q()", are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the "_connector" argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64459
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-11-05
Fix Resolution: 4.2.26
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
"ASGIRequest" allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-3902
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2026/apr/07/security-releases/
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGI requests with a missing or understated "Content-Length" header could bypass the "DATA_UPLOAD_MAX_MEMORY_SIZE" limit when reading "HttpRequest.body", allowing remote attackers to load an unbounded request body into memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-33034
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2026/apr/07/security-releases/
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
"URLField.to_python()" in Django calls "urllib.parse.urlsplit()", which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2026-03-03
URL: CVE-2026-25673
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2026/mar/03/security-releases/
Release Date: 2026-03-03
Fix Resolution: 4.2.29
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
"django.utils.text.Truncator.chars()" and "Truncator.words()" methods (with "html=True") and the "truncatechars_html" and "truncatewords_html" template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2026-1285
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4rrr-2h4v-f3j9
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 4.2.28,https://github.com/django/django.git - 6.0.2,django - 6.0.2,https://github.com/django/django.git - 5.2.11,django - 6.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in "django.core.serializers.xml_serializer.getInnerText()" allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML "Deserializer".
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2025-12-02
URL: CVE-2025-64460
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
Release Date: 2025-12-02
Fix Resolution: 4.2.27
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, "django.http.HttpResponseRedirect", "django.http.HttpResponsePermanentRedirect", and the shortcut "django.shortcuts.redirect" were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64458
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qw25-v68c-qjf3
Release Date: 2025-11-05
Fix Resolution: 4.2.26
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
"ASGIRequest" allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Jiyong Yang for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2025-14550
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-33mw-q7rj-mjwj
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 4.2.28,django - 6.0.2,https://github.com/django/django.git - 6.0.2,https://github.com/django/django.git - 5.2.11,django - 6.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Publish Date: 2025-10-01
URL: CVE-2025-59681
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hpr9-3m2g-3j9p
Release Date: 2025-10-01
Fix Resolution: 4.2.25
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
"MultiPartParser" allows remote attackers to degrade performance by submitting multipart uploads with "Content-Transfer-Encoding: base64" including excessive whitespace.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-33033
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
".QuerySet.order_by()" is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in "FilteredRelation".
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2026-1312
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 4.2.28,https://github.com/django/django.git - 5.2.11,django - 6.0.2,https://github.com/django/django.git - 6.0.2,django - 6.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
"FilteredRelation" is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the "**kwargs" passed to "QuerySet" methods "annotate()", "aggregate()", "extra()", "values()", "values_list()", and "alias()".
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2026-1287
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 6.0.2,https://github.com/django/django.git - 5.2.11,https://github.com/django/django.git - 4.2.28
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on "RasterField" (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-03
URL: CVE-2026-1207
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mwm9-4648-f68q
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 6.0.2,django - 6.0.2,https://github.com/django/django.git - 5.2.11,https://github.com/django/django.git - 4.2.28,django - 6.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
The "django.contrib.auth.handlers.modwsgi.check_password()" function for authentication via "mod_wsgi" allows remote attackers to enumerate users via a timing attack.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Publish Date: 2026-02-03
URL: CVE-2025-13473
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2mcm-79hx-8fxw
Release Date: 2026-02-03
Fix Resolution: https://github.com/django/django.git - 4.2.28,https://github.com/django/django.git - 6.0.2,https://github.com/django/django.git - 5.2.11,django - 6.0.2,django - 6.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
"FilteredRelation" is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the "**kwargs" passed to "QuerySet.annotate()" or "QuerySet.alias()" on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Publish Date: 2025-12-02
URL: CVE-2025-13372
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://docs.djangoproject.com/en/dev/releases/security/
Release Date: 2025-12-02
Fix Resolution: 4.2.27
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary "umask" change affects other threads in multi-threaded environments.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Publish Date: 2026-03-03
URL: CVE-2026-25674
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2026/mar/03/security-releases/
Release Date: 2026-03-03
Fix Resolution: 4.2.29
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Publish Date: 2025-10-01
URL: CVE-2025-59682
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q95w-c7qg-hrff
Release Date: 2025-10-01
Fix Resolution: 4.2.25
Step up your Open Source Security Game with Mend here
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Admin changelist forms using "ModelAdmin.list_editable" incorrectly allowed new instances to be created via forged "POST" data.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue.
Publish Date: 2026-04-07
URL: CVE-2026-4292
CVSS 3 Score Details (2.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-07
Fix Resolution: 4.2.30
Step up your Open Source Security Game with Mend here