Archive of security issues¶
Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.
As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).
Some important caveats apply to this information:
Lists of affected versions include only those versions of Django which had stable, security-supported releases at the time of disclosure. This means older versions (whose security support had expired) and versions which were in pre-release (alpha/beta/RC) states at the time of disclosure may have been affected, but are not listed.
The Django project has on occasion issued security advisories, pointing out potential security problems which can arise from improper configuration or from other issues outside of Django itself. Some of these advisories have received CVEs; when that is the case, they are listed here, but as they have no accompanying patches or releases, only the description, disclosure and CVE will be listed.
Issues under Django’s security process¶
All security issues have been handled under versions of Django’s security process. These are listed below.
September 3, 2024 - CVE 2024-45231¶
Potential user email enumeration via response status on password reset. Full description
September 3, 2024 - CVE 2024-45230¶
Potential denial-of-service vulnerability in django.utils.html.urlize().
Full description
August 6, 2024 - CVE 2024-42005¶
Potential SQL injection in QuerySet.values() and values_list().
Full description
August 6, 2024 - CVE 2024-41991¶
Potential denial-of-service vulnerability in django.utils.html.urlize() and
AdminURLFieldWidget. Full description
August 6, 2024 - CVE 2024-41990¶
Potential denial-of-service vulnerability in django.utils.html.urlize().
Full description
August 6, 2024 - CVE 2024-41989¶
Potential memory exhaustion in django.utils.numberformat.floatformat().
Full description
July 9, 2024 - CVE 2024-39614¶
Potential denial-of-service in
django.utils.translation.get_supported_language_variant().
Full description
July 9, 2024 - CVE 2024-39330¶
Potential directory-traversal in django.core.files.storage.Storage.save().
Full description
July 9, 2024 - CVE 2024-39329¶
Username enumeration through timing difference for users with unusable passwords. Full description
July 9, 2024 - CVE 2024-38875¶
Potential denial-of-service in django.utils.html.urlize().
Full description
March 4, 2024 - CVE 2024-27351¶
Potential regular expression denial-of-service in
django.utils.text.Truncator.words(). Full description
February 6, 2024 - CVE 2024-24680¶
Potential denial-of-service in intcomma template filter.
Full description
November 1, 2023 - CVE 2023-46695¶
Potential denial of service vulnerability in UsernameField on Windows.
Full description
October 4, 2023 - CVE 2023-43665¶
Denial-of-service possibility in django.utils.text.Truncator.
Full description
September 4, 2023 - CVE 2023-41164¶
Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri(). Full description
July 3, 2023 - CVE 2023-36053¶
Potential regular expression denial of service vulnerability in
EmailValidator/URLValidator. Full description
May 3, 2023 - CVE 2023-31047¶
Potential bypass of validation when uploading multiple files using one form field. Full description
February 14, 2023 - CVE 2023-24580¶
Potential denial-of-service vulnerability in file uploads. Full description
February 1, 2023 - CVE 2023-23969¶
Potential denial-of-service via Accept-Language headers. Full description
October 4, 2022 - CVE 2022-41323¶
Potential denial-of-service vulnerability in internationalized URLs. Full description
August 3, 2022 - CVE 2022-36359¶
Potential reflected file download vulnerability in FileResponse. Full description
July 4, 2022 - CVE 2022-34265¶
Potential SQL injection via Trunc(kind) and Extract(lookup_name)
arguments. Full description
April 11, 2022 - CVE 2022-28346¶
Potential SQL injection in QuerySet.annotate(), aggregate(), and
extra(). Full description
April 11, 2022 - CVE 2022-28347¶
Potential SQL injection via QuerySet.explain(**options) on PostgreSQL.
Full description
February 1, 2022 - CVE 2022-22818¶
Possible XSS via {% debug %} template tag. Full description
Versions affected¶
February 1, 2022 - CVE 2022-23833¶
Denial-of-service possibility in file uploads. Full description
Versions affected¶
January 4, 2022 - CVE 2021-45452¶
Potential directory-traversal via Storage.save(). Full description
Versions affected¶
January 4, 2022 - CVE 2021-45116¶
Potential information disclosure in dictsort template filter. Full
description
Versions affected¶
January 4, 2022 - CVE 2021-45115¶
Denial-of-service possibility in UserAttributeSimilarityValidator. Full
description
Versions affected¶
December 7, 2021 - CVE 2021-44420¶
Potential bypass of an upstream access control based on URL paths. Full description
Versions affected¶
July 1, 2021 - CVE 2021-35042¶
Potential SQL injection via unsanitized QuerySet.order_by() input. Full
description
Versions affected¶
June 2, 2021 - CVE 2021-33203¶
Potential directory traversal via admindocs. Full description
Versions affected¶
June 2, 2021 - CVE 2021-33571¶
Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses. Full description
Versions affected¶
May 6, 2021 - CVE 2021-32052¶
Header injection possibility since URLValidator accepted newlines in input
on Python 3.9.5+. Full description
Versions affected¶
May 4, 2021 - CVE 2021-31542¶
Potential directory-traversal via uploaded files. Full description
Versions affected¶
April 6, 2021 - CVE 2021-28658¶
Potential directory-traversal via uploaded files. Full description
Versions affected¶
February 19, 2021 - CVE 2021-23336¶
Web cache poisoning via django.utils.http.limited_parse_qsl(). Full
description
Versions affected¶
February 1, 2021 - CVE 2021-3281¶
Potential directory-traversal via archive.extract(). Full description
Versions affected¶
September 1, 2020 - CVE 2020-24584¶
Permission escalation in intermediate-level directories of the file system cache on Python 3.7+. Full description
Versions affected¶
September 1, 2020 - CVE 2020-24583¶
Incorrect permissions on intermediate-level directories on Python 3.7+. Full description
Versions affected¶
June 3, 2020 - CVE 2020-13596¶
Possible XSS via admin ForeignKeyRawIdWidget. Full description
Versions affected¶
June 3, 2020 - CVE 2020-13254¶
Potential data leakage via malformed memcached keys. Full description
Versions affected¶
March 4, 2020 - CVE 2020-9402¶
Potential SQL injection via tolerance parameter in GIS functions and
aggregates on Oracle. Full description
Versions affected¶
February 3, 2020 - CVE 2020-7471¶
Potential SQL injection via StringAgg(delimiter). Full description
Versions affected¶
December 18, 2019 - CVE 2019-19844¶
Potential account hijack via password reset form. Full description
Versions affected¶
December 2, 2019 - CVE 2019-19118¶
Privilege escalation in the Django admin. Full description
Versions affected¶
August 1, 2019 - CVE 2019-14235¶
Potential memory exhaustion in django.utils.encoding.uri_to_iri(). Full
description
Versions affected¶
August 1, 2019 - CVE 2019-14234¶
SQL injection possibility in key and index lookups for
JSONField/HStoreField. Full description
Versions affected¶
August 1, 2019 - CVE 2019-14233¶
Denial-of-service possibility in strip_tags(). Full description
Versions affected¶
August 1, 2019 - CVE 2019-14232¶
Denial-of-service possibility in django.utils.text.Truncator. Full
description
Versions affected¶
July 1, 2019 - CVE 2019-12781¶
Incorrect HTTP detection with reverse-proxy connecting via HTTPS. Full description
Versions affected¶
June 3, 2019 - CVE 2019-12308¶
XSS via “Current URL” link generated by AdminURLFieldWidget. Full
description
Versions affected¶
June 3, 2019 - CVE 2019-11358¶
Prototype pollution in bundled jQuery. Full description
Versions affected¶
February 11, 2019 - CVE 2019-6975¶
Memory exhaustion in django.utils.numberformat.format(). Full description
Versions affected¶
Django 2.1 (patch)
Django 2.0 (patch and correction)
Django 1.11 (patch)
January 4, 2019 - CVE 2019-3498¶
Content spoofing possibility in the default 404 page. Full description
Versions affected¶
October 1, 2018 - CVE 2018-16984¶
Password hash disclosure to “view only” admin users. Full description
Versions affected¶
Django 2.1 (patch)
August 1, 2018 - CVE 2018-14574¶
Open redirect possibility in CommonMiddleware. Full description
Versions affected¶
March 6, 2018 - CVE 2018-7537¶
Denial-of-service possibility in truncatechars_html and
truncatewords_html template filters. Full description
Versions affected¶
March 6, 2018 - CVE 2018-7536¶
Denial-of-service possibility in urlize and urlizetrunc template
filters. Full description
Versions affected¶
February 1, 2018 - CVE 2018-6188¶
Information leakage in AuthenticationForm. Full description
Versions affected¶
September 5, 2017 - CVE 2017-12794¶
Possible XSS in traceback section of technical 500 debug page. Full description
Versions affected¶
April 4, 2017 - CVE 2017-7234¶
Open redirect vulnerability in django.views.static.serve(). Full
description
Versions affected¶
April 4, 2017 - CVE 2017-7233¶
Open redirect and possible XSS attack via user-supplied numeric redirect URLs. Full description
Versions affected¶
November 1, 2016 - CVE 2016-9014¶
DNS rebinding vulnerability when DEBUG=True. Full description
Versions affected¶
November 1, 2016 - CVE 2016-9013¶
User with hardcoded password created when running tests on Oracle. Full description
Versions affected¶
September 26, 2016 - CVE 2016-7401¶
CSRF protection bypass on a site with Google Analytics. Full description
Versions affected¶
July 18, 2016 - CVE 2016-6186¶
XSS in admin’s add/change related popup. Full description
Versions affected¶
March 1, 2016 - CVE 2016-2513¶
User enumeration through timing difference on password hasher work factor upgrade. Full description
Versions affected¶
March 1, 2016 - CVE 2016-2512¶
Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description
Versions affected¶
February 1, 2016 - CVE 2016-2048¶
User with “change” but not “add” permission can create objects for
ModelAdmin’s with save_as=True. Full description
Versions affected¶
Django 1.9 (patch)
November 24, 2015 - CVE 2015-8213¶
Settings leak possibility in date template filter. Full description
Versions affected¶
August 18, 2015 - CVE 2015-5963 / CVE 2015-5964¶
Denial-of-service possibility in logout() view by filling session store.
Full description
Versions affected¶
July 8, 2015 - CVE 2015-5145¶
Denial-of-service possibility in URL validation. Full description
Versions affected¶
Django 1.8 (patch)
July 8, 2015 - CVE 2015-5144¶
Header injection possibility since validators accept newlines in input. Full description
Versions affected¶
July 8, 2015 - CVE 2015-5143¶
Denial-of-service possibility by filling session store. Full description
Versions affected¶
May 20, 2015 - CVE 2015-3982¶
Fixed session flushing in the cached_db backend. Full description
Versions affected¶
Django 1.8 (patch)
March 18, 2015 - CVE 2015-2317¶
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
Versions affected¶
March 18, 2015 - CVE 2015-2316¶
Denial-of-service possibility with strip_tags(). Full description
Versions affected¶
March 9, 2015 - CVE 2015-2241¶
XSS attack via properties in ModelAdmin.readonly_fields. Full description
Versions affected¶
January 13, 2015 - CVE 2015-0222¶
Database denial-of-service with ModelMultipleChoiceField. Full description
Versions affected¶
January 13, 2015 - CVE 2015-0221¶
Denial-of-service attack against django.views.static.serve(). Full
description
Versions affected¶
January 13, 2015 - CVE 2015-0220¶
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
Versions affected¶
January 13, 2015 - CVE 2015-0219¶
WSGI header spoofing via underscore/dash conflation. Full description
Versions affected¶
August 20, 2014 - CVE 2014-0483¶
Data leakage via querystring manipulation in admin. Full description
Versions affected¶
August 20, 2014 - CVE 2014-0482¶
RemoteUserMiddleware session hijacking. Full description
Versions affected¶
August 20, 2014 - CVE 2014-0481¶
File upload denial of service. Full description
Versions affected¶
August 20, 2014 - CVE 2014-0480¶
reverse() can generate URLs pointing to other hosts. Full description
Versions affected¶
May 18, 2014 - CVE 2014-3730¶
Malformed URLs from user input incorrectly validated. Full description
Versions affected¶
May 18, 2014 - CVE 2014-1418¶
Caches may be allowed to store and serve private data. Full description
Versions affected¶
April 21, 2014 - CVE 2014-0474¶
MySQL typecasting causes unexpected query results. Full description
Versions affected¶
April 21, 2014 - CVE 2014-0473¶
Caching of anonymous pages could reveal CSRF token. Full description
Versions affected¶
April 21, 2014 - CVE 2014-0472¶
Unexpected code execution using reverse(). Full description
Versions affected¶
September 14, 2013 - CVE 2013-1443¶
Denial-of-service via large passwords. Full description
Versions affected¶
Django 1.4 (patch and Python compatibility fix)
Django 1.5 (patch)
September 10, 2013 - CVE 2013-4315¶
Directory-traversal via ssi template tag. Full description
Versions affected¶
August 13, 2013 - CVE 2013-6044¶
Possible XSS via unvalidated URL redirect schemes. Full description
Versions affected¶
August 13, 2013 - CVE 2013-4249¶
XSS via admin trusting URLField values. Full description
Versions affected¶
Django 1.5 (patch)
February 19, 2013 - CVE 2013-0306¶
Denial-of-service via formset max_num bypass. Full description
Versions affected¶
February 19, 2013 - CVE 2013-0305¶
Information leakage via admin history log. Full description
Versions affected¶
February 19, 2013 - CVE 2013-1664 / CVE 2013-1665¶
Entity-based attacks against Python XML libraries. Full description
Versions affected¶
February 19, 2013 - No CVE¶
Additional hardening of Host header handling. Full description
Versions affected¶
December 10, 2012 - No CVE 2¶
Additional hardening of redirect validation. Full description
Versions affected¶
December 10, 2012 - No CVE 1¶
Additional hardening of Host header handling. Full description
Versions affected¶
October 17, 2012 - CVE 2012-4520¶
Host header poisoning. Full description
Versions affected¶
July 30, 2012 - CVE 2012-3444¶
Denial-of-service via large image files. Full description
Versions affected¶
July 30, 2012 - CVE 2012-3443¶
Denial-of-service via compressed image files. Full description
Versions affected¶
July 30, 2012 - CVE 2012-3442¶
XSS via failure to validate redirect scheme. Full description
Versions affected¶
September 9, 2011 - CVE 2011-4140¶
Potential CSRF via Host header. Full description
Versions affected¶
This notification was an advisory only, so no patches were issued.
Django 1.2
Django 1.3
September 9, 2011 - CVE 2011-4139¶
Host header cache poisoning. Full description
Versions affected¶
September 9, 2011 - CVE 2011-4138¶
Information leakage/arbitrary request issuance via URLField.verify_exists.
Full description
Versions affected¶
September 9, 2011 - CVE 2011-4137¶
Denial-of-service via URLField.verify_exists. Full description
Versions affected¶
September 9, 2011 - CVE 2011-4136¶
Session manipulation when using memory-cache-backed session. Full description
Versions affected¶
February 8, 2011 - CVE 2011-0698¶
Directory-traversal on Windows via incorrect path-separator handling. Full description
Versions affected¶
February 8, 2011 - CVE 2011-0697¶
XSS via unsanitized names of uploaded files. Full description
Versions affected¶
February 8, 2011 - CVE 2011-0696¶
CSRF via forged HTTP headers. Full description
Versions affected¶
December 22, 2010 - CVE 2010-4535¶
Denial-of-service in password-reset mechanism. Full description
Versions affected¶
December 22, 2010 - CVE 2010-4534¶
Information leakage in administrative interface. Full description
Versions affected¶
September 8, 2010 - CVE 2010-3082¶
XSS via trusting unsafe cookie value. Full description
Versions affected¶
Django 1.2 (patch)
October 9, 2009 - CVE 2009-3695¶
Denial-of-service via pathological regular expression performance. Full description
Versions affected¶
July 28, 2009 - CVE 2009-2659¶
Directory-traversal in development server media handler. Full description
Versions affected¶
September 2, 2008 - CVE 2008-3909¶
CSRF via preservation of POST data during admin login. Full description
Versions affected¶
May 14, 2008 - CVE 2008-2302¶
XSS via admin login redirect. Full description
Versions affected¶
October 26, 2007 - CVE 2007-5712¶
Denial-of-service via arbitrarily-large Accept-Language header. Full
description
Versions affected¶
Issues prior to Django’s security process¶
Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.
January 21, 2007 - CVE 2007-0405¶
Apparent “caching” of authenticated user. Full description
Versions affected¶
Django 0.95 (patch)
August 16, 2006 - CVE 2007-0404¶
Filename validation issue in translation framework. Full description
