Security Audit

Django Security Audit

300 known vulnerabilities

Django is a widely used PyPI package. As of 2026-05-24, there are 300 known vulnerabilities in the OSV database. The latest stable version is 6.0.5. Developers should audit their dependency trees and update to patched versions.

Package Overview

Package
Django
Ecosystem
PyPI
Latest Version
6.0.5
License
Unknown
Description
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Repository
https://github.com/django/django

Known Vulnerabilities (300)

ID Severity Score Affected Versions Fixed In Description
CVE-2022-28346 CRITICAL 9.5 2.2 to 2.2.28; 3.2 to 3.2.13; 4.0 to 4.0.4 2.2.28 SQL Injection in Django
CVE-2016-9014 CRITICAL 9.5 1.8a1 to 1.8.16; 1.9a1 to 1.9.11; 1.10a1 to 1.10.3 1.8.16 Django DNS Rebinding Vulnerability
CVE-2019-14234 CRITICAL 9.5 1.11a1 to 1.11.23; 2.1a1 to 2.1.11; 2.2a1 to 2.2.4 1.11.23 SQL Injection in Django
CVE-2012-3442 CRITICAL 9.5 0 to 1.3.2; 1.4 to 1.4.1 1.3.2 Django Allows Redirect via Data URL
CVE-2011-0698 CRITICAL 9.5 1.1 to 1.1.4; 1.2 to 1.2.5 1.1.4 Directory traversal in Django
CVE-2025-64459 CRITICAL 9.5 5.2a1 to 5.2.8; 5.0a1 to 5.1.14; 0 to 4.2.26 5.2.8 Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
CVE-2020-7471 CRITICAL 9.5 0 to 1.11.28; 2.0 to 2.2.10; 3.0 to 3.0.3 1.11.28 SQL injection in Django
CVE-2016-9013 CRITICAL 9.5 1.10a1 to 1.10.3; 1.9a1 to 1.9.11; 1.8a1 to 1.8.16 1.10.3 Django user with hardcoded password created when running tests on Oracle
CVE-2022-34265 CRITICAL 9.5 3.2a1 to 3.2.14; 4.0a1 to 4.0.6 3.2.14 Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
CVE-2024-42005 CRITICAL 9.5 5.0 to 5.0.8; 4.2 to 4.2.15 5.0.8 Django SQL injection vulnerability
CVE-2014-1418 CRITICAL 9.5 1.4 to 1.4.13; 1.5 to 1.5.8; 1.6 to 1.6.5; 1.7a1 to 1.7b4 1.4.13 Django Vulnerable to Cache Poisoning
CVE-2023-31047 CRITICAL 9.5 3.2a1 to 3.2.19; 4.0a1 to 4.1.9; 4.2a1 to 4.2.1 3.2.19 Django bypasses validation when using one form field to upload multiple files
CVE-2014-0472 CRITICAL 9.5 0 to 1.4.11; 1.5 to 1.5.6; 1.6 to 1.6.3 1.4.11 Code Injection in Django
CVE-2019-19844 CRITICAL 9.5 0 to 1.11.27; 2.0 to 2.2.9; 3.0 to 3.0.1 1.11.27 Django Potential account hijack via password reset form
CVE-2022-28347 CRITICAL 9.5 2.2 to 2.2.28; 3.2 to 3.2.13; 4.0 to 4.0.4 2.2.28 SQL Injection in Django
CVE-2021-35042 CRITICAL 9.5 3.2a1 to 3.2.5; 3.0a1 to 3.1.13 3.2.5 SQL Injection in Django
CVE-2012-4520 HIGH 7.5 1.3 to 1.3.4; 1.4 to 1.4.2 1.3.4 Django Allows Arbitrary URL Generation
CVE-2014-0481 HIGH 7.5 0 to 1.4.14; 1.5 to 1.5.9; 1.6 to 1.6.6 1.4.14 Django denial of service via file upload naming
CVE-2023-24580 HIGH 7.5 3.2a1 to 3.2.18; 4.1a1 to 4.1.7; 4.0a1 to 4.0.10 3.2.18 Resource exhaustion in Django
CVE-2019-3498 HIGH 7.5 1.11a1 to 1.11.18; 2.0a1 to 2.0.10; 2.1a1 to 2.1.5 1.11.18 Improper Input Validation in Django
CVE-2020-9402 HIGH 7.5 1.11 to 1.11.29; 2.2 to 2.2.11; 3.0 to 3.0.4 1.11.29 SQL injection in Django
CVE-2011-4137 HIGH 7.5 0 to 1.2.7; 1.3 to 1.3.1 1.2.7 Denial of service in django
CVE-2016-2048 HIGH 7.5 1.9 to 1.9.2 1.9.2 Django Access Restrictions Bypass
CVE-2013-1443 HIGH 7.5 1.4 to 1.4.8; 1.5 to 1.5.4 1.4.8 Django Denial of Service Vulnerability in the authentication framework
CVE-2021-45115 HIGH 7.5 2.2a1 to 2.2.26; 3.2a1 to 3.2.11; 4.0a1 to 4.0.1 2.2.26 Denial-of-service in Django
CVE-2012-3443 HIGH 7.5 0 to 1.3.2; 1.4 to 1.4.1 1.3.2 Django Image Field Vulnerable to Image Decompression Bombs
CVE-2012-3444 HIGH 7.5 0 to 1.3.2; 1.4 to 1.4.1 1.3.2 Django vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2011-0696 HIGH 7.5 1.1 to 1.1.4; 1.2 to 1.2.5 1.1.4 Cross-site request forgery in Django
CVE-2022-23833 HIGH 7.5 2.2 to 2.2.27; 3.2 to 3.2.12; 4.0 to 4.0.2 2.2.27 Infinite Loop in Django
CVE-2015-0222 HIGH 7.5 1.6 to 1.6.10; 1.7 to 1.7.3 1.6.10 Django database denial-of-service with ModelMultipleChoiceField
CVE-2025-57833 HIGH 7.5 0 to 4.2.24; 5.0a1 to 5.1.12; 5.2a1 to 5.2.6 4.2.24 Django is subject to SQL injection through its column aliases
CVE-2014-0473 HIGH 7.5 0 to 1.4.11; 1.5 to 1.5.6; 1.6 to 1.6.3 1.4.11 Django Reuses Cached CSRF Token
CVE-2021-45116 HIGH 7.5 2.2 to 2.2.26; 3.2 to 3.2.11; 4.0 to 4.0.1 2.2.26 Information disclosure in Django
CVE-2026-25673 HIGH 7.5 6.0 to 6.0.3; 5.2 to 5.2.12; 4.2 to 4.2.29 6.0.3 Django vulnerable to Uncontrolled Resource Consumption
CVE-2022-36359 HIGH 7.5 0 to 3.2.15; 4.0 to 4.0.7 3.2.15 Django vulnerable to Reflected File Download attack
CVE-2026-33034 HIGH 7.5 6.0 to 6.0.4; 5.2 to 5.2.13; 4.2 to 4.2.30 6.0.4 Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
CVE-2024-39330 HIGH 7.5 5.0 to 5.0.7; 4.2 to 4.2.14 5.0.7 Django Path Traversal vulnerability
CVE-2007-5712 HIGH 7.5 0.96.0 to 0.96.1; 0.95 to 0.95.2; 0.91.0 to 0.91.1 0.96.1 Django vulnerable to Denial of Service via i18n middleware component
CVE-2009-2659 HIGH 7.5 0.96.0 to 0.96.4; 1.0 to 1.0.3 0.96.4 Django Admin Media Handler Vulnerable to Directory Traversal
CVE-2019-14232 HIGH 7.5 1.11a1 to 1.11.23; 2.1a1 to 2.1.11; 2.2a1 to 2.2.4 1.11.23 Django Denial-of-service in django.utils.text.Truncator
CVE-2015-5145 HIGH 7.5 1.8a1 to 1.8.3 1.8.3 Django ReDoS in validators.URLValidator
CVE-2016-7401 HIGH 7.5 0 to 1.8.15; 1.9 to 1.9.10 1.8.15 Django CSRF Protection Bypass
CVE-2024-39614 HIGH 7.5 5.0 to 5.0.7; 4.2 to 4.2.14 5.0.7 Django vulnerable to Denial of Service
CVE-2014-0480 HIGH 7.5 0 to 1.4.14; 1.5 to 1.5.9; 1.6 to 1.6.6 1.4.14 Django Incorrectly Validates URLs
CVE-2010-4534 HIGH 7.5 0 to 1.1.3; 1.2 to 1.2.4 1.1.3 Improper query string handling in Django
CVE-2026-1287 HIGH 7.5 6.0a1 to 6.0.2; 5.2a1 to 5.2.11; 4.2a1 to 4.2.28 6.0.2 Django has an SQL Injection issue
CVE-2015-5143 HIGH 7.5 0 to 1.4.21; 1.5 to 1.7.9; 1.8 to 1.8.3 1.4.21 Django Denial-of-service by filling session store
CVE-2019-14233 HIGH 7.5 1.11a1 to 1.11.23; 2.1a1 to 2.1.11; 2.2a1 to 2.2.4 1.11.23 Django Denial-of-service in strip_tags()
CVE-2023-43665 HIGH 7.5 3.2a1 to 3.2.22; 4.1a1 to 4.1.12; 4.2a1 to 4.2.6 3.2.22 Django Denial-of-service in django.utils.text.Truncator
CVE-2011-4140 HIGH 7.5 >= 0; >= 1.3 N/A Django Cross-Site Request Forgery vulnerability
CVE-2025-59681 HIGH 7.5 4.2 to 4.2.25; 5.1 to 5.1.13; 5.2 to 5.2.7 4.2.25 Django vulnerable to SQL injection in column aliases
CVE-2019-19118 HIGH 7.5 2.1 to 2.1.15; 2.2 to 2.2.8 2.1.15 Django allows unintended model editing
CVE-2015-2316 HIGH 7.5 1.6 to 1.6.11; 1.7 to 1.7.7; 1.8a1 to 1.8c1 1.6.11 Django Denial-of-service possibility with strip_tags
CVE-2023-36053 HIGH 7.5 3.2a1 to 3.2.20; 4.0a1 to 4.1.10; 4.2a1 to 4.2.3 3.2.20 Django has regular expression denial of service vulnerability in EmailValidator/URLValidator
CVE-2015-0221 HIGH 7.5 0 to 1.4.18; 1.6 to 1.6.10; 1.7 to 1.7.3 1.4.18 Django DoS in django.views.static.serve
CVE-2020-24583 HIGH 7.5 2.2a1 to 2.2.16; 3.0a1 to 3.0.10; 3.1a1 to 3.1.1 2.2.16 Django Incorrect Default Permissions
CVE-2024-53908 HIGH 7.5 5.0.0 to 5.0.10; 5.1.0 to 5.1.4; 4.2.0 to 4.2.17; 5.1 to 5.1.4; 5.0 to 5.0.10; 4.2 to 4.2.17 5.0.10 Django SQL injection in HasKey(lhs, rhs) on Oracle
CVE-2026-3902 HIGH 7.5 6.0 to 6.0.4; 5.2 to 5.2.13; 4.2 to 4.2.30 6.0.4 Django vulnerable to ASGI header spoofing via underscore/hyphen conflation
CVE-2026-1207 HIGH 7.5 6.0a1 to 6.0.2; 5.2a1 to 5.2.11; 4.2a1 to 4.2.28 6.0.2 Django has an SQL Injection issue
CVE-2009-3695 HIGH 7.5 1.0 to 1.0.4; 1.1 to 1.1.1 1.0.4 Django Regex Algorithmic Complexity Causes Denial of Service
CVE-2021-33571 HIGH 7.5 2.2a1 to 2.2.24; 3.0a1 to 3.1.12; 3.2a1 to 3.2.4 2.2.24 Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
CVE-2023-23969 HIGH 7.5 3.2a1 to 3.2.17; 4.0a1 to 4.0.9; 4.1a1 to 4.1.6 3.2.17 Django contains Uncontrolled Resource Consumption via cached header
CVE-2015-5144 HIGH 7.5 0 to 1.4.21; 1.5 to 1.7.9; 1.8a1 to 1.8.3 1.4.21 Django Vulnerable to HTTP Response Splitting Attack
CVE-2007-0404 HIGH 7.5 0.95 to 1.0 1.0 Django Arbitrary Code Execution
CVE-2024-38875 HIGH 7.5 4.2 to 4.2.14; 5.0 to 5.0.7 4.2.14 Django vulnerable to Denial of Service
CVE-2023-46695 HIGH 7.5 3.2a1 to 3.2.23; 4.1a1 to 4.1.13; 4.2a1 to 4.2.7 3.2.23 Django potential denial of service vulnerability in UsernameField on Windows
CVE-2022-41323 HIGH 7.5 3.2 to 3.2.16; 4.0 to 4.0.8; 4.1 to 4.1.2 3.2.16 Django denial-of-service vulnerability in internationalized URLs
CVE-2025-64458 HIGH 7.5 5.2a1 to 5.2.8; 5.0a1 to 5.1.14; 0 to 4.2.26 5.2.8 Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
CVE-2008-3909 HIGH 7.5 0.91.0 to 0.91.3; 0.95.0 to 0.95.4; 0.96.0 to 0.96.3 0.91.3 Django cross-site request forgery (CSRF) vulnerability
CVE-2018-6188 HIGH 7.5 2.0a1 to 2.0.2; 1.11.8 to 1.11.10 2.0.2 Django vulnerable to information leakage in AuthenticationForm
CVE-2011-4139 HIGH 7.5 0 to 1.2.7; 1.3 to 1.3.1 1.2.7 Django Vulnerable to Cache Poisoning
CVE-2021-31542 HIGH 7.5 2.2 to 2.2.21; 3.0 to 3.1.9; 3.2 to 3.2.1 2.2.21 Path Traversal in Django
CVE-2019-14235 HIGH 7.5 1.11a1 to 1.11.23; 2.1a1 to 2.1.11; 2.2a1 to 2.2.4 1.11.23 Uncontrolled Recursion in Django
CVE-2013-4315 HIGH 7.5 1.4 to 1.4.7; 1.5 to 1.5.3 1.4.7 Django Directory Traversal via ssi template tag
CVE-2014-3730 HIGH 7.5 1.4 to 1.4.13; 1.5 to 1.5.8; 1.6 to 1.6.5; 1.7a1 to 1.7b4 1.4.13 Django Allows Open Redirects
CVE-2019-6975 HIGH 7.5 1.11 to 1.11.19; 2.0 to 2.0.11; 2.1 to 2.1.6 1.11.19 Uncontrolled Memory Consumption in Django
CVE-2020-13254 HIGH 7.5 2.2 to 2.2.13; 3.0 to 3.0.7 2.2.13 Data leakage via cache key collision in Django
CVE-2014-0474 HIGH 7.5 0 to 1.4.11; 1.5 to 1.5.6; 1.6 to 1.6.3 1.4.11 Django Vulnerable to MySQL Injection
CVE-2011-4138 HIGH 7.5 0 to 1.2.7; 1.3 to 1.3.1 1.2.7 Django Might Allow CSRF Requests via URL Verification
CVE-2024-24680 HIGH 7.5 3.2 to 3.2.24; 4.2 to 4.2.10; 5.0 to 5.0.2 3.2.24 Django denial-of-service attack in the intcomma template filter
CVE-2020-13596 MODERATE 5.0 2.2a1 to 2.2.13; 3.0a1 to 3.0.7 2.2.13 XSS in Django
CVE-2017-7233 MODERATE 5.0 1.10a1 to 1.10.7; 1.9a1 to 1.9.13; 1.8a1 to 1.8.18 1.10.7 Django open redirect and possible XSS attack via user-supplied numeric redirect URLs
CVE-2013-4249 MODERATE 5.0 1.5 to 1.5.2 1.5.2 Django cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget
CVE-2008-2302 MODERATE 5.0 0.91 to 0.91.2; 0.95 to 0.95.3; 0.96 to 0.96.2 0.91.2 Django Cross-site scripting (XSS) vulnerability
CVE-2018-14574 MODERATE 5.0 2.0 to 2.0.8; 1.11 to 1.11.15 2.0.8 Django open redirect
CVE-2024-45230 MODERATE 5.0 5.1 to 5.1.1; 5.0 to 5.0.9; 4.2 to 4.2.16 5.1.1 Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters
CVE-2026-33033 MODERATE 5.0 6.0 to 6.0.4; 5.2 to 5.2.13; 4.2 to 4.2.30 6.0.4 Django has potential DoS via MultiPartParser through crafted multipart uploads
CVE-2014-0482 MODERATE 5.0 0 to 1.4.14; 1.5 to 1.5.9; 1.6 to 1.6.6; 1.7a1 to 1.7c3 1.4.14 Django Middleware Enables Session Hijacking
CVE-2026-1312 MODERATE 5.0 6.0a1 to 6.0.2; 5.2a1 to 5.2.11; 4.2a1 to 4.2.28 6.0.2 Django has an SQL Injection issue
CVE-2015-2241 MODERATE 5.0 0 to 1.7.6; 1.8a1 to 1.8b2 1.7.6 Django Cross-site Scripting Vulnerability
CVE-2021-33203 MODERATE 5.0 0 to 2.2.24; 3.0 to 3.1.12; 3.2 to 3.2.4 2.2.24 Path Traversal in Django
CVE-2019-11358 MODERATE 5.0 1.1.4 to 3.4.0; 0 to 4.3.4; 1.1.4 to 3.4.0; 2.0a1 to 2.1.9; 2.2a1 to 2.2.2; 1.1.4 to 3.4.0; 0 to 1.19.0 3.4.0 XSS in jQuery as used in Drupal, Backdrop CMS, and other products
CVE-2019-12781 MODERATE 5.0 2.1 to 2.1.10; 2.2 to 2.2.3; 1.11 to 1.11.22 2.1.10 Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS
CVE-2018-16984 MODERATE 5.0 2.1 to 2.1.2 2.1.2 Django allows unprivileged users to read the password hashes of arbitrary accounts
CVE-2015-8213 MODERATE 5.0 1.7 to 1.7.11; 1.8a1 to 1.8.7; 1.9a1 to 1.9rc2 1.7.11 Django settings leak in date template filter
CVE-2015-3982 MODERATE 5.0 1.8a1 to 1.8.2 1.8.2 Django allows user sessions hijacking via an empty string in the session key
CVE-2024-41990 MODERATE 5.0 5.0 to 5.0.8; 4.2 to 4.2.15 5.0.8 Django vulnerable to a denial-of-service attack
CVE-2015-2317 MODERATE 5.0 0 to 1.4.20; 1.5 to 1.6.11; 1.7 to 1.7.7; 1.8a1 to 1.8c1 1.4.20 Django cross-site scripting (XSS) attack via user-supplied redirect URLs
CVE-2023-41164 MODERATE 5.0 3.2 to 3.2.21; 4.1 to 4.1.11; 4.2 to 4.2.5 3.2.21 Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
CVE-2015-0219 MODERATE 5.0 0 to 1.4.18; 1.6 to 1.6.10; 1.7 to 1.7.3 1.4.18 Django WSGI Header Spoofing Vulnerability
CVE-2019-12308 MODERATE 5.0 1.11a1 to 1.11.21; 2.1a1 to 2.1.9; 2.2a1 to 2.2.2 1.11.21 Django Cross-site Scripting in AdminURLFieldWidget
CVE-2010-4535 MODERATE 5.0 0 to 1.1.3; 1.2 to 1.2.4 1.1.3 Improper date handling in Django
CVE-2025-48432 MODERATE 5.0 5.2 to 5.2.2; 5.0a1 to 5.1.10; 0 to 4.2.22 5.2.2 Django Improper Output Neutralization for Logs vulnerability
CVE-2024-53907 MODERATE 5.0 5.1.0 to 5.1.4; 4.2.0 to 4.2.17; 5.0.0 to 5.0.10; 5.1 to 5.1.4; 5.0 to 5.0.10; 4.2 to 4.2.17 5.1.4 Django denial-of-service in django.utils.html.strip_tags()
CVE-2025-32873 MODERATE 5.0 4.2 to 4.2.21; 5.1 to 5.1.9; 5.2 to 5.2.1 4.2.21 Django has a denial-of-service possibility in strip_tags()
CVE-2011-0697 MODERATE 5.0 1.1 to 1.1.4; 1.2 to 1.2.5 1.1.4 Cross-site scripting in django
CVE-2022-22818 MODERATE 5.0 2.2 to 2.2.27; 3.2 to 3.2.12; 4.0 to 4.0.2 2.2.27 Cross-site Scripting in Django
CVE-2013-6044 MODERATE 5.0 1.4 to 1.4.6; 1.5 to 1.5.2 1.4.6 Django cross-site scripting (XSS) vulnerability via is_safe_url function
CVE-2017-12794 MODERATE 5.0 1.10a1 to 1.10.8; 1.11a1 to 1.11.5 1.10.8 Django vulnerable to XSS on 500 pages
CVE-2016-6186 MODERATE 5.0 0 to 1.8.14; 1.9 to 1.9.8; 1.10a1 to 1.10rc1 1.8.14 Django Cross-site scripting Vulnerability
CVE-2020-24584 MODERATE 5.0 2.2 to 2.2.16; 3.0 to 3.0.10; 3.1 to 3.1.1 2.2.16 Django Incorrect Default Permissions
CVE-2021-3281 MODERATE 5.0 2.2 to 2.2.18; 3.1 to 3.1.6; 3.0 to 3.0.12 2.2.18 Django Directory Traversal via archive.extract
CVE-2010-3082 MODERATE 5.0 1.2 to 1.2.2 1.2.2 Cross-site scripting in django
CVE-2013-0306 MODERATE 5.0 1.3 to 1.3.6; 1.4 to 1.4.4 1.3.6 Django is vulnerable to Denial of Service attack in formset
CVE-2015-0220 MODERATE 5.0 0 to 1.4.18; 1.6 to 1.6.10; 1.7 to 1.7.3 1.4.18 Django Cross-site Scripting Vulnerability
CVE-2017-7234 MODERATE 5.0 1.10 to 1.10.7; 1.9 to 1.9.13; 1.8 to 1.8.18 1.10.7 Django open redirect
CVE-2024-41989 MODERATE 5.0 5.0 to 5.0.8; 4.2 to 4.2.15 5.0.8 Django memory consumption vulnerability
CVE-2021-45452 MODERATE 5.0 2.2 to 2.2.26; 3.2 to 3.2.11; 4.0 to 4.0.1 2.2.26 Directory-traversal in Django
CVE-2007-0405 MODERATE 5.0 0.95 to 1.0 1.0 Django Improper Access Control
CVE-2025-26699 MODERATE 5.0 4.2 to 4.2.20; 5.0 to 5.0.13; 5.1 to 5.1.7 4.2.20 Django vulnerable to Allocation of Resources Without Limits or Throttling
CVE-2015-5963 MODERATE 5.0 1.8 to 1.8.4; 1.7 to 1.7.10; 1.4 to 1.4.22 1.8.4 Django denial of service via empty session record creation
CVE-2016-2512 MODERATE 5.0 0 to 1.8.10; 1.9a1 to 1.9.3 1.8.10 Django XSS Vulnerability
CVE-2024-56374 MODERATE 5.0 5.1 to 5.1.5; 5.0 to 5.0.11; 4.2 to 4.2.18; 5.1 to 5.1.5; 5.0 to 5.0.11; 4.2 to 4.2.18 5.1.5 Django has a potential denial-of-service vulnerability in IPv6 validation
CVE-2021-32052 MODERATE 5.0 2.2 to 2.2.22; 3.1 to 3.1.10; 3.2 to 3.2.2 2.2.22 Header injection possible in Django
CVE-2013-1664 MODERATE 5.0 1.3.0 to 1.3.6; 1.4.0 to 1.4.4 1.3.6 XML Entity Expansion (XEE) in Django
CVE-2018-7536 MODERATE 5.0 2.0a1 to 2.0.3; 1.11a1 to 1.11.11; 1.8a1 to 1.8.19 2.0.3 Django denial-of-service possibility in urlize and urlizetrunc template filters
CVE-2013-0305 MODERATE 5.0 1.3 to 1.3.6; 1.4 to 1.4.4 1.3.6 Django Data leakage via admin history log
CVE-2024-41991 MODERATE 5.0 5.0 to 5.0.8; 4.2 to 4.2.15 5.0.8 Django vulnerable to denial-of-service attack
CVE-2025-13372 MODERATE 5.0 5.2a1 to 5.2.9; 5.1a1 to 5.1.15; 4.2a1 to 4.2.27 5.2.9 Django is vulnerable to SQL injection in column aliases
CVE-2024-45231 MODERATE 5.0 5.1 to 5.1.1; 5.0 to 5.0.9; 0 to 4.2.16 5.1.1 Django allows enumeration of user e-mail addresses
CVE-2014-0483 MODERATE 5.0 0 to 1.4.14; 1.5 to 1.5.9; 1.6 to 1.6.6; 1.7a1 to 1.7c3 1.4.14 Django data leakage via querystring manipulation in admin
CVE-2021-44420 MODERATE 5.0 2.2a1 to 2.2.25; 3.0a1 to 3.1.14; 3.2a1 to 3.2.10 2.2.25 Potential bypass of an upstream access control based on URL paths in Django
CVE-2024-27351 MODERATE 5.0 3.2 to 3.2.25; 4.2 to 4.2.11; 5.0 to 5.0.3 3.2.25 Regular expression denial-of-service in Django
CVE-2025-64460 MODERATE 5.0 5.2a1 to 5.2.9; 5.1a1 to 5.1.15; 4.2a1 to 4.2.27 5.2.9 Django is vulnerable to DoS via XML serializer text extraction
CVE-2026-5766 MODERATE 5.0 6.0 to 6.0.5; 5.2 to 5.2.14 6.0.5 Django has an Improper Handling of Length Parameter Inconsistency
CVE-2025-27556 MODERATE 5.0 5.0 to 5.0.14; 5.1 to 5.1.8 5.0.14 Django Potential Denial of Service (DoS) on Windows
CVE-2015-5964 MODERATE 5.0 1.7 to 1.7.10; 1.4 to 1.4.22 1.7.10 Denial-of-service possibility in logout() view by filling session store
CVE-2013-1665 MODERATE 5.0 1.3.0 to 1.3.6; 1.4.0 to 1.4.4 1.3.6 XML External Entity (XXE) in Django
CVE-2024-39329 MODERATE 5.0 5.0 to 5.0.7; 4.2 to 4.2.14 5.0.7 Django vulnerable to user enumeration attack
CVE-2011-4136 MODERATE 5.0 0 to 1.2.7; 1.3 to 1.3.1 1.2.7 Session manipulation in Django
CVE-2021-28658 MODERATE 5.0 2.2a1 to 2.2.20; 3.0a1 to 3.0.14; 3.1a1 to 3.1.8 2.2.20 Directory Traversal in Django
CVE-2018-7537 LOW 2.5 2.0 to 2.0.3; 1.11 to 1.11.11; 1.8 to 1.8.19 2.0.3 Django Denial-of-service possibility in truncatechars_html and truncatewords_html template filters
CVE-2025-13473 LOW 2.5 6.0a1 to 6.0.2; 5.2a1 to 5.2.11; 4.2a1 to 4.2.28 6.0.2 Django has Observable Timing Discrepancy
CVE-2025-14550 LOW 2.5 6.0a1 to 6.0.2; 5.2a1 to 5.2.11; 4.2a1 to 4.2.28 6.0.2 Django has Inefficient Algorithmic Complexity
CVE-2026-1285 LOW 2.5 6.0a1 to 6.0.2; 5.2a1 to 5.2.11; 4.2a1 to 4.2.28 6.0.2 Django has Inefficient Algorithmic Complexity
CVE-2026-6907 LOW 2.5 6.0 to 6.0.5; 5.2 to 5.2.14 6.0.5 Django Uses Cache Containing Sensitive Information
CVE-2026-35192 LOW 2.5 6.0 to 6.0.5; 5.2 to 5.2.14 6.0.5 Django Uses Persistent Cookies Containing Sensitive Information
CVE-2016-2513 LOW 2.5 0 to 1.8.10; 1.9 to 1.9.3 1.8.10 Django User Enumeration Vulnerability
CVE-2026-25674 LOW 2.5 6.0 to 6.0.3; 5.2 to 5.2.12; 4.2 to 4.2.29 6.0.3 Django has a Race Condition vulnerability
CVE-2026-4292 LOW 2.5 6.0 to 6.0.4; 5.2 to 5.2.13; 4.2 to 4.2.30 6.0.4 Django vulnerable to privilege abuse in ModelAdmin.list_editable
CVE-2026-4277 LOW 2.5 6.0 to 6.0.4; 5.2 to 5.2.13; 4.2 to 4.2.30 6.0.4 Django vulnerable to privilege abuse in GenericInlineModelAdmin
CVE-2025-59682 LOW 2.5 4.2 to 4.2.25; 5.1 to 5.1.13; 5.2 to 5.2.7 4.2.25 Django vulnerable to partial directory traversal via archives
CVE-2007-5712 UNKNOWN - 0 to 1.1 1.1 The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows rem
CVE-2008-2302 UNKNOWN - 0 to 1.1 1.1 Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject
CVE-2008-3909 UNKNOWN - 0 to 1.1 1.1 The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to cond
CVE-2009-2659 UNKNOWN - 0 to 1.1 1.1 The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory trave
CVE-2009-3695 UNKNOWN - 1.1 to 1.1.1 1.0.4 Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) Email
CVE-2010-3082 UNKNOWN - 1.2 to 1.2.2 1.2.2 Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
CVE-2011-4136 UNKNOWN - 1.3 to 1.3.1 1.2.7 django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which a
CVE-2011-0696 UNKNOWN - 1.2 to 1.2.5 1.1.4 Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site requ
CVE-2011-0697 UNKNOWN - 1.2 to 1.2.5 1.1.4 Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file u
CVE-2011-0698 UNKNOWN - 1.2 to 1.2.5 1.1.4 Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session c
CVE-2011-4137 UNKNOWN - 1.3 to 1.3.1 1.2.7 The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which a
CVE-2010-4534 UNKNOWN - See advisory N/A The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain objec
CVE-2010-4535 UNKNOWN - See advisory N/A The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp
CVE-2011-4138 UNKNOWN - 1.3 to 1.3.1 1.2.7 The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for t
CVE-2011-0696 UNKNOWN - See advisory N/A Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site requ
CVE-2011-0697 UNKNOWN - See advisory N/A Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file u
CVE-2011-4139 UNKNOWN - 1.3 to 1.3.1 1.2.7 Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a cr
CVE-2011-4140 UNKNOWN - 1.3 to 1.3.1 1.2.7 The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers t
CVE-2010-4534 UNKNOWN - 1.2 to 1.2.4 1.1.3 The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain objec
CVE-2010-4535 UNKNOWN - 1.2 to 1.2.4 1.1.3 The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp
CVE-2012-3442 UNKNOWN - 1.4 to 1.4.1 1.3.2 The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which
CVE-2012-3443 UNKNOWN - 1.4 to 1.4.1 1.3.2 The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a
CVE-2012-3444 UNKNOWN - 1.4 to 1.4.1 1.3.2 The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows rem
CVE-2012-4520 UNKNOWN - 0 to 92d3430f12171f16f566c9050c40feefb830a4a3; 1.4 to 1.4.2 9305c0e12d43c4df999c3301a1f0c742264a657e The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host
CVE-2013-0305 UNKNOWN - 1.4 to 1.4.4 1.3.6 The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated ad
CVE-2013-0306 UNKNOWN - 1.4 to 1.4.4 1.3.6 The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of serv
CVE-2013-1443 UNKNOWN - 1.5 to 1.5.4 1.4.8 The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption)
CVE-2013-4249 UNKNOWN - 0 to cbe6d5568f4f5053ed7228ca3c3d0cce77cf9560; 1.5 to 1.5.2 90363e388c61874add3f3557ee654a996ec75d78 Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitr
CVE-2013-4315 UNKNOWN - 1.5 to 1.5.3 1.4.7 Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_R
CVE-2013-6044 UNKNOWN - 0 to 1a274ccd6bc1afbdac80344c9b6e5810c1162b5f; 1.5 to 1.5.2 ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce c
CVE-2014-0472 UNKNOWN - 1.6 to 1.6.3 1.4.11 The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Pytho
CVE-2014-1418 UNKNOWN - 1.7a0 to 1.7b4 1.4.13 Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attacker
CVE-2014-0473 UNKNOWN - 1.6 to 1.6.3 1.4.11 The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to
CVE-2014-3730 UNKNOWN - 1.7a0 to 1.7b4 1.4.13 The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduc
CVE-2014-0474 UNKNOWN - 1.6 to 1.6.3 1.4.11 The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properl
CVE-2014-0480 UNKNOWN - 1.6 to 1.6.6 1.4.14 The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attacker
CVE-2014-0481 UNKNOWN - 1.6 to 1.6.6 1.4.14 The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation
CVE-2014-0482 UNKNOWN - 1.6 to 1.6.6 1.4.14 The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.Re
CVE-2014-0483 UNKNOWN - 0 to 2b31342cdf14fc20e07c43d258f1e7334ad664a6; 1.6 to 1.6.6 2b31342cdf14fc20e07c43d258f1e7334ad664a6 The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship bet
CVE-2015-5144 UNKNOWN - 1.8 to 1.8.3 1.4.21 Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP r
CVE-2015-8213 UNKNOWN - 0 to 316bc3fc9437c5960c24baceb93c73f1939711e4; 1.9a0 to 1.9rc2 316bc3fc9437c5960c24baceb93c73f1939711e4 The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a
CVE-2015-2316 UNKNOWN - 1.8a0 to 1.8c1 1.6.11 The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of servic
CVE-2015-3982 UNKNOWN - 1.8 to 1.8.2 1.8.2 The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the s
CVE-2015-5143 UNKNOWN - 1.8 to 1.8.3 1.4.21 The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multi
CVE-2015-5145 UNKNOWN - 1.8 to 1.8.3 1.8.3 validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
CVE-2015-5963 UNKNOWN - 1.4 to 1.4.22 1.8.4 contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (
CVE-2015-5964 UNKNOWN - 1.4 to 1.4.22 1.7.10 The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sess
CVE-2015-0219 UNKNOWN - 1.7 to 1.7.3 1.4.18 Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header,
CVE-2015-0220 UNKNOWN - 1.7 to 1.7.3 1.4.18 The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cr
CVE-2015-0221 UNKNOWN - 1.7 to 1.7.3 1.4.18 The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service
CVE-2015-0222 UNKNOWN - 1.7 to 1.7.3 1.4.18 ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate val
CVE-2015-2241 UNKNOWN - 1.8a1 to 1.8b2 1.7.6 Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a m
CVE-2015-2317 UNKNOWN - 1.8a0 to 1.8c1 1.4.20 The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to co
CVE-2016-2048 UNKNOWN - 1.9 to 1.9.2 1.9.2 Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option w
CVE-2016-2512 UNKNOWN - 0 to c5544d289233f501917e25970c03ed444abbd4f0; 1.9 to 1.9.3 c5544d289233f501917e25970c03ed444abbd4f0 The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cro
CVE-2016-2513 UNKNOWN - 0 to 67b46ba7016da2d259c1ecc7d666d11f5e1cfaab; 1.9 to 1.9.3 67b46ba7016da2d259c1ecc7d666d11f5e1cfaab The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
CVE-2016-9013 UNKNOWN - 1.10 to 1.10.3 1.8.16 Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easi
CVE-2016-9014 UNKNOWN - 1.10 to 1.10.3 1.8.16 Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate
CVE-2016-6186 UNKNOWN - 0 to f68e5a99164867ab0e071a936470958ed867479d; 1.10a0 to 1.10rc1 d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158 Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and
CVE-2016-7401 UNKNOWN - 1.9 to 1.9.10 1.8.15 The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting a
CVE-2017-7234 UNKNOWN - 1.8 to 1.8.18 1.10.7 A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open
CVE-2017-12794 UNKNOWN - 1.11 to 1.11.5 1.10.8 In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cro
CVE-2017-7233 UNKNOWN - 1.8 to 1.8.18 1.10.7 Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``dja
CVE-2018-14574 UNKNOWN - 1.11 to 1.11.15 2.0.8 django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
CVE-2018-16984 UNKNOWN - 2.1 to 2.1.2 2.1.2 An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an
CVE-2018-6188 UNKNOWN - 2.0 to 2.0.2 2.0.2 django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the
CVE-2018-7536 UNKNOWN - 2.0 to 2.0.3 1.8.19 An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophi
CVE-2018-7537 UNKNOWN - 2.0 to 2.0.3 1.8.19 An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they we
CVE-2019-12781 UNKNOWN - 1.11 to 1.11.22 2.1.10 An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT sett
CVE-2019-14232 UNKNOWN - 2.2 to 2.2.4 1.11.23 An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, t
CVE-2019-14233 UNKNOWN - 1.11 to 1.11.23 2.1.11 An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely
CVE-2019-14234 UNKNOWN - 2.2 to 2.2.4 2.1.11 An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.f
CVE-2019-14235 UNKNOWN - 2.1 to 2.1.11 2.2.4 An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage
CVE-2019-19118 UNKNOWN - 2.2 to 2.2.8 2.1.15 Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edi
CVE-2019-19844 UNKNOWN - 2.2 to 2.2.9 1.11.27 Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of
CVE-2019-3498 UNKNOWN - 2.1 to 2.1.5 1.11.18 In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defau
CVE-2019-6975 UNKNOWN - 2.1 to 2.1.7 1.11.19 Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() funct
CVE-2019-12308 UNKNOWN - 2.2 to 2.2.2 2.1.9 An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without
CVE-2020-13254 UNKNOWN - 3.0 to 3.0.7 2.2.13 An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collisi
CVE-2020-13596 UNKNOWN - 3.0 to 3.0.7 2.2.13 An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility o
CVE-2020-24583 UNKNOWN - 3.1 to 3.1.1 2.2.16 An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level di
CVE-2020-24584 UNKNOWN - 3.1 to 3.1.1 2.2.16 An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's sta
CVE-2020-9402 UNKNOWN - 3.0 to 3.0.4 1.11.29 Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suit
CVE-2020-7471 UNKNOWN - 0 to eb31d845323618d688ad429479c6dda973056136; 3.0 to 3.0.3 eb31d845323618d688ad429479c6dda973056136 Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data a
CVE-2020-9402 UNKNOWN - 3.0 to 3.0.4 1.11.29 Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suit
CVE-2021-35042 UNKNOWN - 3.2 to 3.2.5 3.1.13 Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
CVE-2021-44420 UNKNOWN - 3.2 to 3.2.10 2.2.25 In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
CVE-2021-28658 UNKNOWN - 3.1 to 3.1.8 2.2.20 In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not
CVE-2021-31542 UNKNOWN - 3.2 to 3.2.1 2.2.21 In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
CVE-2021-32052 UNKNOWN - 3.2 to 3.2.2 2.2.22 In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application
CVE-2021-3281 UNKNOWN - 3.1 to 3.1.6 2.2.18 In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal v
CVE-2021-33203 UNKNOWN - 3.2 to 3.2.4 2.2.24 Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the exist
CVE-2021-33571 UNKNOWN - 3.2 to 3.2.4 2.2.24 In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This ma
CVE-2021-45115 UNKNOWN - 4.0 to 4.0.1 2.2.26 An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was
CVE-2022-22818 UNKNOWN - 4.0 to 4.0.2 2.2.27 The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
CVE-2022-28346 UNKNOWN - 2.2 to 2.2.28 4.0.4 An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a
CVE-2022-28347 UNKNOWN - 2.2 to 2.2.28 4.0.4 A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion)
CVE-2021-45116 UNKNOWN - 4.0 to 4.0.1 2.2.26 An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter w
CVE-2022-23833 UNKNOWN - 4.0 to 4.0.2 2.2.27 An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing
CVE-2022-34265 UNKNOWN - 4.0 to 4.0.6 3.2.14 An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name valu
CVE-2022-36359 UNKNOWN - 4.0 to 4.0.7 3.2.15 An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Di
CVE-2021-45452 UNKNOWN - 4.0 to 4.0.1 2.2.26 Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
CVE-2022-41323 UNKNOWN - 0 to 5b6b257fa7ec37ff27965358800c67e2dd11c924; 4.1 to 4.1.2 5b6b257fa7ec37ff27965358800c67e2dd11c924 In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular
CVE-2023-36053 UNKNOWN - 3.2 to 3.2.20 4.2.3 In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large numb
CVE-2023-23969 UNKNOWN - 4.1 to 4.1.6 3.2.17 In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-s
CVE-2023-24580 UNKNOWN - 4.1 to 4.1.7 3.2.18 An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart f
CVE-2023-46695 UNKNOWN - 4.2 to 4.2.7 3.2.23 An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is su
CVE-2023-41164 UNKNOWN - 4.2 to 4.2.5 3.2.21 In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large n
CVE-2023-43665 UNKNOWN - 4.2 to 4.2.6 3.2.22 In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of s
CVE-2023-31047 UNKNOWN - 4.2 to 4.2.1 3.2.19 In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been suppor
CVE-2024-45230 UNKNOWN - 4.2 to 4.2.16 5.1.1 An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via ver
CVE-2024-53907 UNKNOWN - 4.2 to 4.2.17 5.1.4 An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack
CVE-2024-53908 UNKNOWN - 4.2 to 4.2.17 5.1.4 An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subjec
CVE-2024-24680 UNKNOWN - 5.0 to 5.0.2 3.2.24 An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with ver
CVE-2024-27351 UNKNOWN - 5.0 to 5.0.3 3.2.25 In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potent
CVE-2024-38875 UNKNOWN - 5.0 to 5.0.7 4.2.14 An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of bra
CVE-2024-39329 UNKNOWN - 4.2 to 4.2.14 5.0.7 An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing at
CVE-2024-39330 UNKNOWN - 4.2 to 4.2.14 5.0.7 An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicatin
CVE-2024-39614 UNKNOWN - 4.2 to 4.2.14 5.0.7 An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containi
CVE-2024-41989 UNKNOWN - 4.2 to 4.2.15 5.0.8 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in
CVE-2024-41990 UNKNOWN - 4.2 to 4.2.15 5.0.8 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with
CVE-2024-41991 UNKNOWN - 4.2 to 4.2.15 5.0.8 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service
CVE-2024-42005 UNKNOWN - 4.2 to 4.2.15 5.0.8 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a cr
CVE-2024-56374 UNKNOWN - 4.2 to 4.2.18 5.1.5 An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a po
CVE-2025-13372 UNKNOWN - 5.2 to 5.2.9 4.2.27 An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dicti
CVE-2025-57833 UNKNOWN - 5.2 to 5.2.6 4.2.24 An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with
CVE-2025-59681 UNKNOWN - 5.2 to 5.2.7 4.2.25 An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injec
CVE-2025-64458 UNKNOWN - 5.2 to 5.2.8 4.2.26 An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.ht
CVE-2025-64459 UNKNOWN - 5.2 to 5.2.8 4.2.26 An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to
CVE-2025-64460 UNKNOWN - 5.2 to 5.2.9 4.2.27 An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cau
CVE-2025-26699 UNKNOWN - 4.2 to 4.2.20 5.1.7 An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-serv
CVE-2025-27556 UNKNOWN - 5.0 to 5.0.14 5.1.8 An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.Lo
CVE-2025-32873 UNKNOWN - 5.2 to 5.2.1 4.2.21 An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performanc
CVE-2025-48432 UNKNOWN - 4.2 to 4.2.22 5.2.2 An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially
CVE-2025-13473 UNKNOWN - 6.0 to 6.0.2 4.2.28 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows rem
CVE-2025-14550 UNKNOWN - 6.0 to 6.0.2 4.2.28 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple
CVE-2026-1207 UNKNOWN - 6.0 to 6.0.2 4.2.28 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the ban
CVE-2026-1285 UNKNOWN - 6.0 to 6.0.2 4.2.28 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_h
CVE-2026-1287 UNKNOWN - 6.0 to 6.0.2 4.2.28 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted
CVE-2026-1312 UNKNOWN - 6.0 to 6.0.2 4.2.28 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, u
CVE-2026-33033 UNKNOWN - 6.0 to 6.0.4 4.2.30 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Tr
CVE-2026-33034 UNKNOWN - 6.0 to 6.0.4 4.2.30 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE
CVE-2026-35192 UNKNOWN - 6.0 to 6.0.5 5.2.14 An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker c
CVE-2026-3902 UNKNOWN - 6.0 to 6.0.4 4.2.30 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants
CVE-2026-4277 UNKNOWN - 6.0 to 6.0.4 4.2.30 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlin
CVE-2026-4292 UNKNOWN - 6.0 to 6.0.4 4.2.30 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forge
CVE-2026-5766 UNKNOWN - 6.0 to 6.0.5 5.2.14 An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially l
CVE-2026-6907 UNKNOWN - 6.0 to 6.0.5 5.2.14 An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). Th

Security Recommendations

  1. Pin Django to the latest stable version (6.0.5) in your dependency manifest
  2. Enable automated dependency updates with Dependabot or Renovate
  3. Run regular vulnerability scans using pip-audit
  4. Review your lock file (requirements.txt) after every update
  5. Monitor the OSV database and NIST NVD for new advisories

FAQ

Is Django safe to use?
Django is actively maintained and widely used. As of 2026-05-24, there are 300 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Django have?
The OSV database currently lists 300 vulnerabilities for Django. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Django to fix vulnerabilities?
Run pip install --upgrade django to get the newest version. Use pip-audit or safety check to scan for known vulnerabilities. Pin your dependencies with a requirements file and review updates regularly.

Using AI-Generated Code with Django?

Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Django, we can verify it is locked to a safe version and properly configured.

Get a Vibe Coding Security Audit

Related Resources