Archive of security issues

Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.

As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).

Some important caveats apply to this information:

  • Lists of affected versions include only those versions of Django which had stable, security-supported releases at the time of disclosure. This means older versions (whose security support had expired) and versions which were in pre-release (alpha/beta/RC) states at the time of disclosure may have been affected, but are not listed.

  • The Django project has on occasion issued security advisories, pointing out potential security problems which can arise from improper configuration or from other issues outside of Django itself. Some of these advisories have received CVEs; when that is the case, they are listed here, but as they have no accompanying patches or releases, only the description, disclosure and CVE will be listed.

Issues under Django’s security process

All security issues have been handled under versions of Django’s security process. These are listed below.

December 4, 2024 - CVE 2024-53907

Potential denial-of-service in django.utils.html.strip_tags(). Full description

December 4, 2024 - CVE 2024-53908

Potential SQL injection in HasKey(lhs, rhs) on Oracle. Full description

September 3, 2024 - CVE 2024-45231

Potential user email enumeration via response status on password reset. Full description

September 3, 2024 - CVE 2024-45230

Potential denial-of-service vulnerability in django.utils.html.urlize(). Full description

August 6, 2024 - CVE 2024-42005

Potential SQL injection in QuerySet.values() and values_list(). Full description

August 6, 2024 - CVE 2024-41991

Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget. Full description

August 6, 2024 - CVE 2024-41990

Potential denial-of-service vulnerability in django.utils.html.urlize(). Full description

August 6, 2024 - CVE 2024-41989

Potential memory exhaustion in django.utils.numberformat.floatformat(). Full description

July 9, 2024 - CVE 2024-39614

Potential denial-of-service in django.utils.translation.get_supported_language_variant(). Full description

July 9, 2024 - CVE 2024-39330

Potential directory-traversal in django.core.files.storage.Storage.save(). Full description

July 9, 2024 - CVE 2024-39329

Username enumeration through timing difference for users with unusable passwords. Full description

July 9, 2024 - CVE 2024-38875

Potential denial-of-service in django.utils.html.urlize(). Full description

March 4, 2024 - CVE 2024-27351

Potential regular expression denial-of-service in django.utils.text.Truncator.words(). Full description

February 6, 2024 - CVE 2024-24680

Potential denial-of-service in intcomma template filter. Full description

November 1, 2023 - CVE 2023-46695

Potential denial of service vulnerability in UsernameField on Windows. Full description

October 4, 2023 - CVE 2023-43665

Denial-of-service possibility in django.utils.text.Truncator. Full description

September 4, 2023 - CVE 2023-41164

Potential denial of service vulnerability in django.utils.encoding.uri_to_iri(). Full description

July 3, 2023 - CVE 2023-36053

Potential regular expression denial of service vulnerability in EmailValidator/URLValidator. Full description

May 3, 2023 - CVE 2023-31047

Potential bypass of validation when uploading multiple files using one form field. Full description

February 14, 2023 - CVE 2023-24580

Potential denial-of-service vulnerability in file uploads. Full description

February 1, 2023 - CVE 2023-23969

Potential denial-of-service via Accept-Language headers. Full description

October 4, 2022 - CVE 2022-41323

Potential denial-of-service vulnerability in internationalized URLs. Full description

August 3, 2022 - CVE 2022-36359

Potential reflected file download vulnerability in FileResponse. Full description

July 4, 2022 - CVE 2022-34265

Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments. Full description

April 11, 2022 - CVE 2022-28346

Potential SQL injection in QuerySet.annotate(), aggregate(), and extra(). Full description

April 11, 2022 - CVE 2022-28347

Potential SQL injection via QuerySet.explain(**options) on PostgreSQL. Full description

February 1, 2022 - CVE 2022-22818

Possible XSS via {% debug %} template tag. Full description

Versions affected

February 1, 2022 - CVE 2022-23833

Denial-of-service possibility in file uploads. Full description

Versions affected

January 4, 2022 - CVE 2021-45452

Potential directory-traversal via Storage.save(). Full description

Versions affected

January 4, 2022 - CVE 2021-45116

Potential information disclosure in dictsort template filter. Full description

Versions affected

January 4, 2022 - CVE 2021-45115

Denial-of-service possibility in UserAttributeSimilarityValidator. Full description

Versions affected

December 7, 2021 - CVE 2021-44420

Potential bypass of an upstream access control based on URL paths. Full description

Versions affected

July 1, 2021 - CVE 2021-35042

Potential SQL injection via unsanitized QuerySet.order_by() input. Full description

Versions affected

June 2, 2021 - CVE 2021-33203

Potential directory traversal via admindocs. Full description

Versions affected

June 2, 2021 - CVE 2021-33571

Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses. Full description

Versions affected

May 6, 2021 - CVE 2021-32052

Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+. Full description

Versions affected

May 4, 2021 - CVE 2021-31542

Potential directory-traversal via uploaded files. Full description

Versions affected

April 6, 2021 - CVE 2021-28658

Potential directory-traversal via uploaded files. Full description

Versions affected

February 19, 2021 - CVE 2021-23336

Web cache poisoning via django.utils.http.limited_parse_qsl(). Full description

Versions affected

February 1, 2021 - CVE 2021-3281

Potential directory-traversal via archive.extract(). Full description

Versions affected

September 1, 2020 - CVE 2020-24584

Permission escalation in intermediate-level directories of the file system cache on Python 3.7+. Full description

Versions affected

September 1, 2020 - CVE 2020-24583

Incorrect permissions on intermediate-level directories on Python 3.7+. Full description

Versions affected

June 3, 2020 - CVE 2020-13596

Possible XSS via admin ForeignKeyRawIdWidget. Full description

Versions affected

June 3, 2020 - CVE 2020-13254

Potential data leakage via malformed memcached keys. Full description

Versions affected

March 4, 2020 - CVE 2020-9402

Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle. Full description

Versions affected

February 3, 2020 - CVE 2020-7471

Potential SQL injection via StringAgg(delimiter). Full description

Versions affected

December 18, 2019 - CVE 2019-19844

Potential account hijack via password reset form. Full description

Versions affected

December 2, 2019 - CVE 2019-19118

Privilege escalation in the Django admin. Full description

Versions affected

August 1, 2019 - CVE 2019-14235

Potential memory exhaustion in django.utils.encoding.uri_to_iri(). Full description

Versions affected

August 1, 2019 - CVE 2019-14234

SQL injection possibility in key and index lookups for JSONField/HStoreField. Full description

Versions affected

August 1, 2019 - CVE 2019-14233

Denial-of-service possibility in strip_tags(). Full description

Versions affected

August 1, 2019 - CVE 2019-14232

Denial-of-service possibility in django.utils.text.Truncator. Full description

Versions affected

July 1, 2019 - CVE 2019-12781

Incorrect HTTP detection with reverse-proxy connecting via HTTPS. Full description

Versions affected

June 3, 2019 - CVE 2019-12308

XSS via “Current URL” link generated by AdminURLFieldWidget. Full description

Versions affected

June 3, 2019 - CVE 2019-11358

Prototype pollution in bundled jQuery. Full description

Versions affected

February 11, 2019 - CVE 2019-6975

Memory exhaustion in django.utils.numberformat.format(). Full description

Versions affected

January 4, 2019 - CVE 2019-3498

Content spoofing possibility in the default 404 page. Full description

Versions affected

October 1, 2018 - CVE 2018-16984

Password hash disclosure to “view only” admin users. Full description

Versions affected

August 1, 2018 - CVE 2018-14574

Open redirect possibility in CommonMiddleware. Full description

Versions affected

March 6, 2018 - CVE 2018-7537

Denial-of-service possibility in truncatechars_html and truncatewords_html template filters. Full description

Versions affected

March 6, 2018 - CVE 2018-7536

Denial-of-service possibility in urlize and urlizetrunc template filters. Full description

Versions affected

February 1, 2018 - CVE 2018-6188

Information leakage in AuthenticationForm. Full description

Versions affected

September 5, 2017 - CVE 2017-12794

Possible XSS in traceback section of technical 500 debug page. Full description

Versions affected

April 4, 2017 - CVE 2017-7234

Open redirect vulnerability in django.views.static.serve(). Full description

Versions affected

April 4, 2017 - CVE 2017-7233

Open redirect and possible XSS attack via user-supplied numeric redirect URLs. Full description

Versions affected

November 1, 2016 - CVE 2016-9014

DNS rebinding vulnerability when DEBUG=True. Full description

Versions affected

November 1, 2016 - CVE 2016-9013

User with hardcoded password created when running tests on Oracle. Full description

Versions affected

September 26, 2016 - CVE 2016-7401

CSRF protection bypass on a site with Google Analytics. Full description

Versions affected

July 18, 2016 - CVE 2016-6186

XSS in admin’s add/change related popup. Full description

Versions affected

March 1, 2016 - CVE 2016-2513

User enumeration through timing difference on password hasher work factor upgrade. Full description

Versions affected

March 1, 2016 - CVE 2016-2512

Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description

Versions affected

February 1, 2016 - CVE 2016-2048

User with “change” but not “add” permission can create objects for ModelAdmin’s with save_as=True. Full description

Versions affected

November 24, 2015 - CVE 2015-8213

Settings leak possibility in date template filter. Full description

Versions affected

August 18, 2015 - CVE 2015-5963 / CVE 2015-5964

Denial-of-service possibility in logout() view by filling session store. Full description

Versions affected

July 8, 2015 - CVE 2015-5145

Denial-of-service possibility in URL validation. Full description

Versions affected

July 8, 2015 - CVE 2015-5144

Header injection possibility since validators accept newlines in input. Full description

Versions affected

July 8, 2015 - CVE 2015-5143

Denial-of-service possibility by filling session store. Full description

Versions affected

May 20, 2015 - CVE 2015-3982

Fixed session flushing in the cached_db backend. Full description

Versions affected

March 18, 2015 - CVE 2015-2317

Mitigated possible XSS attack via user-supplied redirect URLs. Full description

Versions affected

March 18, 2015 - CVE 2015-2316

Denial-of-service possibility with strip_tags(). Full description

Versions affected

March 9, 2015 - CVE 2015-2241

XSS attack via properties in ModelAdmin.readonly_fields. Full description

Versions affected

January 13, 2015 - CVE 2015-0222

Database denial-of-service with ModelMultipleChoiceField. Full description

Versions affected

January 13, 2015 - CVE 2015-0221

Denial-of-service attack against django.views.static.serve(). Full description

Versions affected

January 13, 2015 - CVE 2015-0220

Mitigated possible XSS attack via user-supplied redirect URLs. Full description

Versions affected

January 13, 2015 - CVE 2015-0219

WSGI header spoofing via underscore/dash conflation. Full description

Versions affected

August 20, 2014 - CVE 2014-0483

Data leakage via querystring manipulation in admin. Full description

Versions affected

August 20, 2014 - CVE 2014-0482

RemoteUserMiddleware session hijacking. Full description

Versions affected

August 20, 2014 - CVE 2014-0481

File upload denial of service. Full description

Versions affected

August 20, 2014 - CVE 2014-0480

reverse() can generate URLs pointing to other hosts. Full description

Versions affected

May 18, 2014 - CVE 2014-3730

Malformed URLs from user input incorrectly validated. Full description

Versions affected

May 18, 2014 - CVE 2014-1418

Caches may be allowed to store and serve private data. Full description

Versions affected

April 21, 2014 - CVE 2014-0474

MySQL typecasting causes unexpected query results. Full description

Versions affected

April 21, 2014 - CVE 2014-0473

Caching of anonymous pages could reveal CSRF token. Full description

Versions affected

April 21, 2014 - CVE 2014-0472

Unexpected code execution using reverse(). Full description

Versions affected

September 14, 2013 - CVE 2013-1443

Denial-of-service via large passwords. Full description

Versions affected

September 10, 2013 - CVE 2013-4315

Directory-traversal via ssi template tag. Full description

Versions affected

August 13, 2013 - CVE 2013-6044

Possible XSS via unvalidated URL redirect schemes. Full description

Versions affected

August 13, 2013 - CVE 2013-4249

XSS via admin trusting URLField values. Full description

Versions affected

February 19, 2013 - CVE 2013-0306

Denial-of-service via formset max_num bypass. Full description

Versions affected

February 19, 2013 - CVE 2013-0305

Information leakage via admin history log. Full description

Versions affected

February 19, 2013 - CVE 2013-1664 / CVE 2013-1665

Entity-based attacks against Python XML libraries. Full description

Versions affected

February 19, 2013 - No CVE

Additional hardening of Host header handling. Full description

Versions affected

December 10, 2012 - No CVE 2

Additional hardening of redirect validation. Full description

Versions affected

December 10, 2012 - No CVE 1

Additional hardening of Host header handling. Full description

Versions affected

October 17, 2012 - CVE 2012-4520

Host header poisoning. Full description

Versions affected

July 30, 2012 - CVE 2012-3444

Denial-of-service via large image files. Full description

Versions affected

July 30, 2012 - CVE 2012-3443

Denial-of-service via compressed image files. Full description

Versions affected

July 30, 2012 - CVE 2012-3442

XSS via failure to validate redirect scheme. Full description

Versions affected

September 9, 2011 - CVE 2011-4140

Potential CSRF via Host header. Full description

Versions affected

This notification was an advisory only, so no patches were issued.

  • Django 1.2

  • Django 1.3

September 9, 2011 - CVE 2011-4139

Host header cache poisoning. Full description

Versions affected

September 9, 2011 - CVE 2011-4138

Information leakage/arbitrary request issuance via URLField.verify_exists. Full description

Versions affected

September 9, 2011 - CVE 2011-4137

Denial-of-service via URLField.verify_exists. Full description

Versions affected

September 9, 2011 - CVE 2011-4136

Session manipulation when using memory-cache-backed session. Full description

Versions affected

February 8, 2011 - CVE 2011-0698

Directory-traversal on Windows via incorrect path-separator handling. Full description

Versions affected

February 8, 2011 - CVE 2011-0697

XSS via unsanitized names of uploaded files. Full description

Versions affected

February 8, 2011 - CVE 2011-0696

CSRF via forged HTTP headers. Full description

Versions affected

December 22, 2010 - CVE 2010-4535

Denial-of-service in password-reset mechanism. Full description

Versions affected

December 22, 2010 - CVE 2010-4534

Information leakage in administrative interface. Full description

Versions affected

September 8, 2010 - CVE 2010-3082

XSS via trusting unsafe cookie value. Full description

Versions affected

October 9, 2009 - CVE 2009-3695

Denial-of-service via pathological regular expression performance. Full description

Versions affected

July 28, 2009 - CVE 2009-2659

Directory-traversal in development server media handler. Full description

Versions affected

September 2, 2008 - CVE 2008-3909

CSRF via preservation of POST data during admin login. Full description

Versions affected

May 14, 2008 - CVE 2008-2302

XSS via admin login redirect. Full description

Versions affected

October 26, 2007 - CVE 2007-5712

Denial-of-service via arbitrarily-large Accept-Language header. Full description

Versions affected

Issues prior to Django’s security process

Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.

January 21, 2007 - CVE 2007-0405

Apparent “caching” of authenticated user. Full description

Versions affected

August 16, 2006 - CVE 2007-0404

Filename validation issue in translation framework. Full description

Versions affected

Back to Top