Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
djangoproject django vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2023-31047
In Django 3.2 prior to 3.2.19, 4.x prior to 4.1.9, and 4.2 prior to 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file wa...
Djangoproject Django 4.2
Djangoproject Django
Fedoraproject Fedora 38
9.8
CVSSv3
CVE-2022-34265
An issue exists in Django 3.2 prior to 3.2.14 and 4.0 prior to 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list ...
Djangoproject Django
8 Github repositories
9.8
CVSSv3
CVE-2022-28346
An issue exists in Django 2.2 prior to 2.2.28, 3.2 prior to 3.2.13, and 4.0 prior to 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
Djangoproject Django
Debian Debian Linux 9.0
Debian Debian Linux 11.0
7 Github repositories
9.8
CVSSv3
CVE-2022-28347
A SQL injection issue exists in QuerySet.explain() in Django 2.2 prior to 2.2.28, 3.2 prior to 3.2.13, and 4.0 prior to 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Djangoproject Django
Debian Debian Linux 11.0
2 Github repositories
9.8
CVSSv3
CVE-2021-35042
Django 3.1.x prior to 3.1.13 and 3.2.x prior to 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
Djangoproject Django
Fedoraproject Fedora 34
9 Github repositories
9.8
CVSSv3
CVE-2020-7471
Django 1.11 prior to 1.11.28, 2.2 prior to 2.2.10, and 3.0 prior to 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a s...
Djangoproject Django
11 Github repositories
9.8
CVSSv3
CVE-2019-19844
Django prior to 1.11.27, 2.x prior to 2.2.9, and 3.x prior to 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an malicious user to be sent a passwo...
Djangoproject Django
Djangoproject Django 3.0
Canonical Ubuntu Linux 16.04
Canonical Ubuntu Linux 18.04
Canonical Ubuntu Linux 19.04
Canonical Ubuntu Linux 19.10
7 Github repositories
9.8
CVSSv3
CVE-2019-14234
An issue exists in Django 1.11.x prior to 1.11.23, 2.1.x prior to 2.1.11, and 2.2.x prior to 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, w...
Djangoproject Django
Fedoraproject Fedora 30
Debian Debian Linux 9.0
Debian Debian Linux 10.0
1 Github repository
8.8
CVSSv3
CVE-2022-36359
An issue exists in the HTTP FileResponse class in Django 3.2 prior to 3.2.15 and 4.0 prior to 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied i...
Djangoproject Django
Debian Debian Linux 11.0
8.8
CVSSv3
CVE-2020-9402
Django 1.11 prior to 1.11.29, 2.2 prior to 2.2.11, and 3.0 prior to 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was p...
Djangoproject Django
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Fedoraproject Fedora 31
Fedoraproject Fedora 32
Netapp Steelstore Cloud Integrated Storage -
Canonical Ubuntu Linux 18.04
Canonical Ubuntu Linux 19.10
Canonical Ubuntu Linux 16.04
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
encryption
CVE-2024-4331
CVE-2024-26925
arbitrary code
CVE-2006-4304
CVE-2024-25458
CVE-2024-27077
reflected XSS
CVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »