CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-48432 – Ubuntu Security Notice USN-7555-1
https://notcve.org/view.php?id=CVE-2025-48432
05 Jun 2025 — An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. Se descubrió un problema en Django 5.2 (anterior a la 5.2.2), 5.1 (anterior a la 5.1.10) y 4.2 (anterior a la 4.2.22). El registro interno de respuestas HTTP no e... • https://docs.djangoproject.com/en/dev/releases/security • CWE-117: Improper Output Neutralization for Logs •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2025-32873 – Ubuntu Security Notice USN-7501-2
https://notcve.org/view.php?id=CVE-2025-32873
08 May 2025 — An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags(). USN-7501-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. • https://github.com/Apollo-R3bot/django-vulnerability-CVE-2025-32873 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27556 – openSUSE Security Advisory - openSUSE-SU-2025:14986-1
https://notcve.org/view.php?id=CVE-2025-27556
02 Apr 2025 — An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. These are all security issues fixed in the python311-Django-5.1.8-1.1 package on the GA media of openSUSE Tumbleweed. • https://docs.djangoproject.com/en/dev/releases/security • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-26699 – django: Potential denial-of-service vulnerability in django.utils.text.wrap()
https://notcve.org/view.php?id=CVE-2025-26699
28 Feb 2025 — An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. A potential denial of service vulnerability exists in django.utils.text.wrap() and the wordwrap template filter. When processing extremely long strings, these functions may cause excessive resource consumption, potentially leading to service disruption. It was discov... • https://docs.djangoproject.com/en/dev/releases/security • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56374 – django: potential denial-of-service vulnerability in IPv6 validation
https://notcve.org/view.php?id=CVE-2024-56374
14 Jan 2025 — An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.) A flaw was found in the Django framework. • https://docs.djangoproject.com/en/dev/releases/security • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53907 – django: Potential denial-of-service in django.utils.html.strip_tags()
https://notcve.org/view.php?id=CVE-2024-53907
05 Dec 2024 — An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. A vulnerability was found in the Django Web Framework. The strip_tags() and stripbtags template filter may be vulnerable to a potential denial of service (DoS) in cases of a large sequence of nested incomplete HTML entities. jiang... • https://docs.djangoproject.com/en/dev/releases/security • CWE-770: Allocation of Resources Without Limits or Throttling CWE-1169: SEI CERT C Coding Standard - Guidelines 14. Concurrency (CON) •
CVSS: 10.0EPSS: 0%CPEs: 9EXPL: 0CVE-2024-53908 – django: Potential SQL injection in HasKey(lhs, rhs) on Oracle
https://notcve.org/view.php?id=CVE-2024-53908
05 Dec 2024 — An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.) A vulnerability was found in the Django Web Framework. The direct usage of django.db.models.fields.json.HasKey may be vulnerable to SQL injection if untrusted data is used to... • https://docs.djangoproject.com/en/dev/releases/security • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45231 – Ubuntu Security Notice USN-6987-1
https://notcve.org/view.php?id=CVE-2024-45231
04 Sep 2024 — An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). It was discovered that Django incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. It was discovered that Django... • https://docs.djangoproject.com/en/dev/releases/security • CWE-203: Observable Discrepancy •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-45230 – python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
https://notcve.org/view.php?id=CVE-2024-45230
04 Sep 2024 — An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. A flaw was found in Python's Django urlize() and urlizetrunc() functions. Excessive input with a specific sequence of characters may lead to denial of service. It was discovered that Django incorrectly handled certain inputs. • https://docs.djangoproject.com/en/dev/releases/security • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2024-41991 – python-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
https://notcve.org/view.php?id=CVE-2024-41991
07 Aug 2024 — An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. A flaw was found in Django. 'urlize', 'urlizetrunc', and 'AdminURLFieldWidget' may be subject to a denial of service attack via certain inputs with a very large number of Unicode characters. It was discovered that Django incorrectly handl... • https://docs.djangoproject.com/en/dev/releases/security • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-400: Uncontrolled Resource Consumption •