CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

SUSE CVE•added 2026/06/04 2:30 a.m.•13 views

SUSE CVE-2026-7666

7.4CVSS5.7AI score0.0015EPSS

vulnersOsv•added 2026/06/03 4:23 p.m.•4 views

11x-wagtail-blog (>=0.0.0 <=0.2.0), aa-altcorp (>=0.1.2b0 <=1.1.1) +1647 more potentially affected by CVE-2026-7666 via django (>=5.0.0 <=5.2.14)

django PYPI version =5.0.0, =0.0.0, =0.1.2b0, =0.0.1a1, =0.1.1, =3.1.0b1, =1.0.3, =0.0.1a2, =0.1.0, =0.2.0, =1.0.0, =1.1.0b3, =0.1.0b1, =0.11.1 and more Source cves: CVE-2026-7666 Source advisory: SNYK:PYTHON-DJANGO-17151727...

3.1CVSS5.4AI score0.0015EPSS

AlpineLinux•added 2026/06/03 1:16 p.m.•6 views

CVE-2026-8404

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

5.3CVSS5.4AI score0.00285EPSS

Positive Technologies•added 2026/06/03 12:0 a.m.•13 views

PT-2026-45938

Name of the Vulnerable Software and Affected Versions Django versions prior to 5.2.15 Django versions prior to 6.0.6 Description An issue exists in django.middleware.cache.UpdateCacheMiddleware where the Authorization header is not added to the Vary response header for requests that include that...

5.3CVSS5.5AI score0.00359EPSS

Exploits0References40

Tenable Nessus•added 2026/06/03 12:0 a.m.•13 views

Linux Distros Unpatched Vulnerability : CVE-2026-48587

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.hasvaryheader in Django does not strip leading or trailing whitespa...

5.3CVSS5.5AI score0.00354EPSS

OSV•added 2026/05/08 8:41 a.m.•2 views

BIT-DJANGO-2026-35192 Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSIONSAVEEVERYREQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django serie...

6.5CVSS5.8AI score0.00544EPSS

NVD•added 2026/05/05 4:16 p.m.•19 views

CVE-2026-6907

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served. Earlier, unsupported Django series such as 5.0.x,...

5.3CVSS0.00358EPSS

OSV•added 2026/05/05 4:16 p.m.•13 views

PYSEC-2026-55

5.3CVSS5.7AI score0.00358EPSS

Positive Technologies•added 2026/05/05 12:0 a.m.•10 views

PT-2026-37077

Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.4 Django versions 5.2 through 5.2.13 Description ASGI requests with a missing or understated Content-Length header can bypass the FILE UPLOAD MAX MEMORY SIZE limit. This allows large files to be loaded into...

6.3CVSS5.8AI score0.00423EPSS

Exploits0References20

OSV•added 2026/04/07 3:30 p.m.•1 views

GHSA-933H-HP56-HF7M Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

7.5CVSS5.8AI score0.00769EPSS

Exploits0References6

vulnersOsv•added 2026/04/07 3:17 p.m.•3 views

arthexis (>=0.2.6 <=0.8.0), cg-django-uaa (=2.1.9) +29 more potentially affected by CVE-2026-4292 via django (>=5.2.0 <=5.2.12)

django PYPI version =5.2.0, =0.2.6, =0.1.0, =0.1.0, =1.3.0, =1.92.0.5, =4.2.0, =0.0.7, =3.0.0, =0.1.0, =0.1.1 and more Source cves: CVE-2026-4292 Source advisory: OSV:PYSEC-2026-53...

2.7CVSS5.4AI score0.00294EPSS

vulnersOsv•added 2026/04/07 3:17 p.m.•5 views

arthexis (>=0.2.6 <=0.8.0), cg-django-uaa (=2.1.9) +29 more potentially affected by CVE-2026-3902 via django (>=5.2.0 <=5.2.12)

django PYPI version =5.2.0, =0.2.6, =0.1.0, =0.1.0, =1.3.0, =1.92.0.5, =4.2.0, =0.0.7, =3.0.0, =0.1.0, =0.1.1 and more Source cves: CVE-2026-3902 Source advisory: OSV:PYSEC-2026-51...

7.5CVSS5.4AI score0.00436EPSS

NVD•added 2026/04/07 3:17 p.m.•7 views

CVE-2026-33033

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. MultiPartParser allows remote attackers to degrade performance by submitting multipart uploads with Content-Transfer-Encoding: base64 including excessive whitespace. Earlier, unsupported Django series such as...

6.5CVSS0.00689EPSS

Exploits1References3

Vulnrichment•added 2026/04/07 2:22 p.m.•0 views

CVE-2026-4292 Privilege abuse in ModelAdmin.list_editable

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using ModelAdmin.listeditable incorrectly allowed new instances to be created via forged POST data. Earlier, unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated a...

5.8AI score0.00294EPSS

OSV•added 2026/04/07 2:0 p.m.•1 views

UBUNTU-CVE-2026-33034

7.5CVSS5.8AI score0.00769EPSS

OSV•added 2026/02/05 8:38 a.m.•6 views

BIT-DJANGO-2026-1287 Potential SQL injection in column aliases via control characters

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. FilteredRelation is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed to QuerySet methods annotate, aggregat...

5.4CVSS5.7AI score0.00491EPSS

OSV•added 2026/02/03 3:16 p.m.•5 views

CVE-2026-1207

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField only implemented on PostGIS allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x were not evaluate...

5.4CVSS5.7AI score