Archive of security issuesΒΆ
Djangoβs development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Djangoβs security policies.
As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).
Some important caveats apply to this information:
- Lists of affected versions include only those versions of Django which had stable, security-supported releases at the time of disclosure. This means older versions (whose security support had expired) and versions which were in pre-release (alpha/beta/RC) states at the time of disclosure may have been affected, but are not listed.
- The Django project has on occasion issued security advisories, pointing out potential security problems which can arise from improper configuration or from other issues outside of Django itself. Some of these advisories have received CVEs; when that is the case, they are listed here, but as they have no accompanying patches or releases, only the description, disclosure and CVE will be listed.
Issues under Djangoβs security processΒΆ
All security issues have been handled under versions of Djangoβs security process. These are listed below.
February 14, 2023 - CVE-2023-24580ΒΆ
Potential denial-of-service vulnerability in file uploads. Full description
February 1, 2023 - CVE-2023-23969ΒΆ
Potential denial-of-service via Accept-Language headers. Full description
October 4, 2022 - CVE-2022-41323ΒΆ
Potential denial-of-service vulnerability in internationalized URLs. Full description
August 3, 2022 - CVE-2022-36359ΒΆ
Potential reflected file download vulnerability in FileResponse. Full description
July 4, 2022 - CVE-2022-34265ΒΆ
Potential SQL injection via Trunc(kind) and Extract(lookup_name)
arguments. Full description
April 11, 2022 - CVE-2022-28346ΒΆ
Potential SQL injection in QuerySet.annotate(), aggregate(), and
extra(). Full description
April 11, 2022 - CVE-2022-28347ΒΆ
Potential SQL injection via QuerySet.explain(**options) on PostgreSQL.
Full description
February 1, 2022 - CVE-2022-22818ΒΆ
Possible XSS via {% debug %} template tag. Full description
February 1, 2022 - CVE-2022-23833ΒΆ
Denial-of-service possibility in file uploads. Full description
January 4, 2022 - CVE-2021-45452ΒΆ
Potential directory-traversal via Storage.save(). Full description
January 4, 2022 - CVE-2021-45116ΒΆ
Potential information disclosure in dictsort template filter. Full
description
January 4, 2022 - CVE-2021-45115ΒΆ
Denial-of-service possibility in UserAttributeSimilarityValidator. Full
description
December 7, 2021 - CVE-2021-44420ΒΆ
Potential bypass of an upstream access control based on URL paths. Full description
July 1, 2021 - CVE-2021-35042ΒΆ
Potential SQL injection via unsanitized QuerySet.order_by() input. Full
description
June 2, 2021 - CVE-2021-33203ΒΆ
Potential directory traversal via admindocs. Full description
June 2, 2021 - CVE-2021-33571ΒΆ
Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses. Full description
May 6, 2021 - CVE-2021-32052ΒΆ
Header injection possibility since URLValidator accepted newlines in input
on Python 3.9.5+. Full description
May 4, 2021 - CVE-2021-31542ΒΆ
Potential directory-traversal via uploaded files. Full description
April 6, 2021 - CVE-2021-28658ΒΆ
Potential directory-traversal via uploaded files. Full description
February 19, 2021 - CVE-2021-23336ΒΆ
Web cache poisoning via django.utils.http.limited_parse_qsl(). Full
description
February 1, 2021 - CVE-2021-3281ΒΆ
Potential directory-traversal via archive.extract(). Full description
September 1, 2020 - CVE-2020-24584ΒΆ
Permission escalation in intermediate-level directories of the file system cache on Python 3.7+. Full description
September 1, 2020 - CVE-2020-24583ΒΆ
Incorrect permissions on intermediate-level directories on Python 3.7+. Full description
June 3, 2020 - CVE-2020-13596ΒΆ
Possible XSS via admin ForeignKeyRawIdWidget. Full description
June 3, 2020 - CVE-2020-13254ΒΆ
Potential data leakage via malformed memcached keys. Full description
March 4, 2020 - CVE-2020-9402ΒΆ
Potential SQL injection via tolerance parameter in GIS functions and
aggregates on Oracle. Full description
February 3, 2020 - CVE-2020-7471ΒΆ
Potential SQL injection via StringAgg(delimiter). Full description
December 18, 2019 - CVE-2019-19844ΒΆ
Potential account hijack via password reset form. Full description
December 2, 2019 - CVE-2019-19118ΒΆ
Privilege escalation in the Django admin. Full description
August 1, 2019 - CVE-2019-14235ΒΆ
Potential memory exhaustion in django.utils.encoding.uri_to_iri(). Full
description
August 1, 2019 - CVE-2019-14234ΒΆ
SQL injection possibility in key and index lookups for
JSONField/HStoreField. Full description
August 1, 2019 - CVE-2019-14233ΒΆ
Denial-of-service possibility in strip_tags(). Full description
August 1, 2019 - CVE-2019-14232ΒΆ
Denial-of-service possibility in django.utils.text.Truncator. Full
description
July 1, 2019 - CVE-2019-12781ΒΆ
Incorrect HTTP detection with reverse-proxy connecting via HTTPS. Full description
June 3, 2019 - CVE-2019-12308ΒΆ
XSS via βCurrent URLβ link generated by AdminURLFieldWidget. Full
description
June 3, 2019 - CVE-2019-11358ΒΆ
Prototype pollution in bundled jQuery. Full description
February 11, 2019 - CVE-2019-6975ΒΆ
Memory exhaustion in django.utils.numberformat.format(). Full description
Versions affectedΒΆ
- Django 2.1 (patch)
- Django 2.0 (patch and correction)
- Django 1.11 (patch)
January 4, 2019 - CVE-2019-3498ΒΆ
Content spoofing possibility in the default 404 page. Full description
October 1, 2018 - CVE-2018-16984ΒΆ
Password hash disclosure to βview onlyβ admin users. Full description
August 1, 2018 - CVE-2018-14574ΒΆ
Open redirect possibility in CommonMiddleware. Full description
March 6, 2018 - CVE-2018-7537ΒΆ
Denial-of-service possibility in truncatechars_html and
truncatewords_html template filters. Full description
March 6, 2018 - CVE-2018-7536ΒΆ
Denial-of-service possibility in urlize and urlizetrunc template
filters. Full description
February 1, 2018 - CVE-2018-6188ΒΆ
Information leakage in AuthenticationForm. Full description
September 5, 2017 - CVE-2017-12794ΒΆ
Possible XSS in traceback section of technical 500 debug page. Full description
April 4, 2017 - CVE-2017-7234ΒΆ
Open redirect vulnerability in django.views.static.serve(). Full
description
April 4, 2017 - CVE-2017-7233ΒΆ
Open redirect and possible XSS attack via user-supplied numeric redirect URLs. Full description
November 1, 2016 - CVE-2016-9014ΒΆ
DNS rebinding vulnerability when DEBUG=True. Full description
November 1, 2016 - CVE-2016-9013ΒΆ
User with hardcoded password created when running tests on Oracle. Full description
September 26, 2016 - CVE-2016-7401ΒΆ
CSRF protection bypass on a site with Google Analytics. Full description
July 18, 2016 - CVE-2016-6186ΒΆ
XSS in adminβs add/change related popup. Full description
March 1, 2016 - CVE-2016-2513ΒΆ
User enumeration through timing difference on password hasher work factor upgrade. Full description
March 1, 2016 - CVE-2016-2512ΒΆ
Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description
February 1, 2016 - CVE-2016-2048ΒΆ
User with βchangeβ but not βaddβ permission can create objects for
ModelAdminβs with save_as=True. Full description
November 24, 2015 - CVE-2015-8213ΒΆ
Settings leak possibility in date template filter. Full description
August 18, 2015 - CVE-2015-5963 / CVE-2015-5964ΒΆ
Denial-of-service possibility in logout() view by filling session store.
Full description
July 8, 2015 - CVE-2015-5145ΒΆ
Denial-of-service possibility in URL validation. Full description
July 8, 2015 - CVE-2015-5144ΒΆ
Header injection possibility since validators accept newlines in input. Full description
July 8, 2015 - CVE-2015-5143ΒΆ
Denial-of-service possibility by filling session store. Full description
May 20, 2015 - CVE-2015-3982ΒΆ
Fixed session flushing in the cached_db backend. Full description
March 18, 2015 - CVE-2015-2317ΒΆ
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
March 18, 2015 - CVE-2015-2316ΒΆ
Denial-of-service possibility with strip_tags(). Full description
March 9, 2015 - CVE-2015-2241ΒΆ
XSS attack via properties in ModelAdmin.readonly_fields. Full description
January 13, 2015 - CVE-2015-0222ΒΆ
Database denial-of-service with ModelMultipleChoiceField. Full description
January 13, 2015 - CVE-2015-0221ΒΆ
Denial-of-service attack against django.views.static.serve(). Full
description
January 13, 2015 - CVE-2015-0220ΒΆ
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
January 13, 2015 - CVE-2015-0219ΒΆ
WSGI header spoofing via underscore/dash conflation. Full description
August 20, 2014 - CVE-2014-0483ΒΆ
Data leakage via querystring manipulation in admin. Full description
August 20, 2014 - CVE-2014-0482ΒΆ
RemoteUserMiddleware session hijacking. Full description
August 20, 2014 - CVE-2014-0481ΒΆ
File upload denial of service. Full description
August 20, 2014 - CVE-2014-0480ΒΆ
reverse() can generate URLs pointing to other hosts. Full description
May 18, 2014 - CVE-2014-3730ΒΆ
Malformed URLs from user input incorrectly validated. Full description
May 18, 2014 - CVE-2014-1418ΒΆ
Caches may be allowed to store and serve private data. Full description
April 21, 2014 - CVE-2014-0474ΒΆ
MySQL typecasting causes unexpected query results. Full description
April 21, 2014 - CVE-2014-0473ΒΆ
Caching of anonymous pages could reveal CSRF token. Full description
April 21, 2014 - CVE-2014-0472ΒΆ
Unexpected code execution using reverse(). Full description
September 14, 2013 - CVE-2013-1443ΒΆ
Denial-of-service via large passwords. Full description
Versions affectedΒΆ
- Django 1.4 (patch and Python compatibility fix)
- Django 1.5 (patch)
September 10, 2013 - CVE-2013-4315ΒΆ
Directory-traversal via ssi template tag. Full description
August 13, 2013 - CVE-2013-6044ΒΆ
Possible XSS via unvalidated URL redirect schemes. Full description
August 13, 2013 - CVE-2013-4249ΒΆ
XSS via admin trusting URLField values. Full description
February 19, 2013 - CVE-2013-0306ΒΆ
Denial-of-service via formset max_num bypass. Full description
February 19, 2013 - CVE-2013-0305ΒΆ
Information leakage via admin history log. Full description
February 19, 2013 - CVE-2013-1664 / CVE-2013-1665ΒΆ
Entity-based attacks against Python XML libraries. Full description
February 19, 2013 - No CVEΒΆ
Additional hardening of Host header handling. Full description
December 10, 2012 - No CVE 2ΒΆ
Additional hardening of redirect validation. Full description
December 10, 2012 - No CVE 1ΒΆ
Additional hardening of Host header handling. Full description
October 17, 2012 - CVE-2012-4520ΒΆ
Host header poisoning. Full description
July 30, 2012 - CVE-2012-3444ΒΆ
Denial-of-service via large image files. Full description
July 30, 2012 - CVE-2012-3443ΒΆ
Denial-of-service via compressed image files. Full description
July 30, 2012 - CVE-2012-3442ΒΆ
XSS via failure to validate redirect scheme. Full description
September 9, 2011 - CVE-2011-4140ΒΆ
Potential CSRF via Host header. Full description
Versions affectedΒΆ
This notification was an advisory only, so no patches were issued.
- Django 1.2
- Django 1.3
September 9, 2011 - CVE-2011-4139ΒΆ
Host header cache poisoning. Full description
September 9, 2011 - CVE-2011-4138ΒΆ
Information leakage/arbitrary request issuance via URLField.verify_exists.
Full description
September 9, 2011 - CVE-2011-4137ΒΆ
Denial-of-service via URLField.verify_exists. Full description
September 9, 2011 - CVE-2011-4136ΒΆ
Session manipulation when using memory-cache-backed session. Full description
February 8, 2011 - CVE-2011-0698ΒΆ
Directory-traversal on Windows via incorrect path-separator handling. Full description
February 8, 2011 - CVE-2011-0697ΒΆ
XSS via unsanitized names of uploaded files. Full description
February 8, 2011 - CVE-2011-0696ΒΆ
CSRF via forged HTTP headers. Full description
December 22, 2010 - CVE-2010-4535ΒΆ
Denial-of-service in password-reset mechanism. Full description
December 22, 2010 - CVE-2010-4534ΒΆ
Information leakage in administrative interface. Full description
September 8, 2010 - CVE-2010-3082ΒΆ
XSS via trusting unsafe cookie value. Full description
October 9, 2009 - CVE-2009-3965ΒΆ
Denial-of-service via pathological regular expression performance. Full description
July 28, 2009 - CVE-2009-2659ΒΆ
Directory-traversal in development server media handler. Full description
September 2, 2008 - CVE-2008-3909ΒΆ
CSRF via preservation of POST data during admin login. Full description
May 14, 2008 - CVE-2008-2302ΒΆ
XSS via admin login redirect. Full description
October 26, 2007 - CVE-2007-5712ΒΆ
Denial-of-service via arbitrarily-large Accept-Language header. Full
description
Issues prior to Djangoβs security processΒΆ
Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.
January 21, 2007 - CVE-2007-0405ΒΆ
Apparent βcachingβ of authenticated user. Full description
August 16, 2006 - CVE-2007-0404ΒΆ
Filename validation issue in translation framework. Full description
