CVE-2026-48587 Potential exposure of private data via whitespace padding in Vary header

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.hasvaryheader in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose...

CVE-2026-48587

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0...

EUVD-2026-34089

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...

CVE-2026-35193

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0...

CVE-2026-8404

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0...

CVE-2026-7666 Potential unencrypted email transmission via STARTTLS in the SMTP backend

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when failsilently=True, which allows on-path network attackers to read ema...

CVE-2026-7666

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2...

PT-2026-45949

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

Astra Linux - уязвимость в python-django

A issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. The UserAttributeSimilarityValidator incurred significant overhead when evaluating a submitted password that was artificially large relative to the comparison values. In a situation where access to user...

Astra Linux - уязвимость в python-django

A issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The values and valueslist methods on models with a JSONField are vulnerable to SQL injection when column aliases are used, due to a crafted JSON object key being passed as an argument...

Astra Linux - уязвимость в python-django

In Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1, directory traversal is allowed if the filenames are passed to it directly...

Astra Linux - уязвимость в python-django

A issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc and Extract database functions are vulnerable to SQL injection if untrusted data is used as a kind/lookupname value. Applications that restrict the choice of lookup names and kinds to a known safe list are not...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-017336)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017336 advisory. An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-016790)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016790 advisory. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. FilteredRelation is subject to SQL injection in column aliases via control...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-016788)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016788 advisory. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. .QuerySet.orderby is subject to SQL injection in column aliases containing...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-017343)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017343 advisory. An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-017339)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017339 advisory. An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize and urlizetrunc template filters are subject to a potential...

Django: Django: SQL Injection via RasterField band index parameter

A flaw was found in Django. A remote attacker could inject SQL commands by manipulating the band index parameter during raster lookups on RasterField only implemented on PostGIS. This SQL injection vulnerability could lead to unauthorized information disclosure, data alteration, or denial of...

arches (=8.0.0a1), avaintegration-metapackage (>=6.0.4.3 <=6.0.4.13) +35 more potentially affected by CVE-2026-5766 via django (>=6.0.0 <=6.0.4)

django PYPI version =6.0.0, =6.0.4.3, =2.0.0, =1.1.0, =0.1.0, =0.1.0b2, =0.2.0b1 and more Source cves: CVE-2026-5766 Source advisory: OSV:GHSA-W26R-RMM8-9C29...

cg-django-uaa (=2.1.9), deeplabelnet (>=0.1.0 <=0.1.16) +39 more potentially affected by CVE-2026-6907 via django (>=5.2.0 <=5.2.13)

django PYPI version =5.2.0, =0.1.0, =0.1.0, =1.3.0, =1.92.0.5, =4.2.0, =0.0.7, =3.0.0, =5.2.0, =5.2.1 - djbackup =2.1.0 and more Source cves: CVE-2026-6907 Source advisory: OSV:GHSA-5HRC-GVXJ-W55P...