Vulnerability-Lookup

OPENSUSE-SU-2026:10145-1

Vulnerability from csaf_opensuse - Published: 2026-02-04 00:00 - Updated: 2026-02-04 00:00

Summary

python312-Django6-6.0.2-1.1 on GA media

Notes

Title of the patch

python312-Django6-6.0.2-1.1 on GA media

Description of the patch

These are all security issues fixed in the python312-Django6-6.0.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2026-10145

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python312-Django6-6.0.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python312-Django6-6.0.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10145",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10145-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-13473 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-13473/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-14550 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-14550/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-1207 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-1207/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-1285 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-1285/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-1287 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-1287/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-1312 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-1312/"
      }
    ],
    "title": "python312-Django6-6.0.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-02-04T00:00:00Z",
      "generator": {
        "date": "2026-02-04T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10145-1",
      "initial_release_date": "2026-02-04T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-02-04T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python312-Django6-6.0.2-1.1.aarch64",
                "product": {
                  "name": "python312-Django6-6.0.2-1.1.aarch64",
                  "product_id": "python312-Django6-6.0.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Django6-6.0.2-1.1.aarch64",
                "product": {
                  "name": "python313-Django6-6.0.2-1.1.aarch64",
                  "product_id": "python313-Django6-6.0.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python312-Django6-6.0.2-1.1.ppc64le",
                "product": {
                  "name": "python312-Django6-6.0.2-1.1.ppc64le",
                  "product_id": "python312-Django6-6.0.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Django6-6.0.2-1.1.ppc64le",
                "product": {
                  "name": "python313-Django6-6.0.2-1.1.ppc64le",
                  "product_id": "python313-Django6-6.0.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python312-Django6-6.0.2-1.1.s390x",
                "product": {
                  "name": "python312-Django6-6.0.2-1.1.s390x",
                  "product_id": "python312-Django6-6.0.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Django6-6.0.2-1.1.s390x",
                "product": {
                  "name": "python313-Django6-6.0.2-1.1.s390x",
                  "product_id": "python313-Django6-6.0.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python312-Django6-6.0.2-1.1.x86_64",
                "product": {
                  "name": "python312-Django6-6.0.2-1.1.x86_64",
                  "product_id": "python312-Django6-6.0.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Django6-6.0.2-1.1.x86_64",
                "product": {
                  "name": "python313-Django6-6.0.2-1.1.x86_64",
                  "product_id": "python313-Django6-6.0.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-Django6-6.0.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64"
        },
        "product_reference": "python312-Django6-6.0.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-Django6-6.0.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le"
        },
        "product_reference": "python312-Django6-6.0.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-Django6-6.0.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x"
        },
        "product_reference": "python312-Django6-6.0.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-Django6-6.0.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64"
        },
        "product_reference": "python312-Django6-6.0.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django6-6.0.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64"
        },
        "product_reference": "python313-Django6-6.0.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django6-6.0.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le"
        },
        "product_reference": "python313-Django6-6.0.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django6-6.0.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x"
        },
        "product_reference": "python313-Django6-6.0.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django6-6.0.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
        },
        "product_reference": "python313-Django6-6.0.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-13473",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-13473"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-13473",
          "url": "https://www.suse.com/security/cve/CVE-2025-13473"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257401 for CVE-2025-13473",
          "url": "https://bugzilla.suse.com/1257401"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-02-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-13473"
    },
    {
      "cve": "CVE-2025-14550",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-14550"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Jiyong Yang for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-14550",
          "url": "https://www.suse.com/security/cve/CVE-2025-14550"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257403 for CVE-2025-14550",
          "url": "https://bugzilla.suse.com/1257403"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-02-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-14550"
    },
    {
      "cve": "CVE-2026-1207",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-1207"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-1207",
          "url": "https://www.suse.com/security/cve/CVE-2026-1207"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257405 for CVE-2026-1207",
          "url": "https://bugzilla.suse.com/1257405"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-02-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-1207"
    },
    {
      "cve": "CVE-2026-1285",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-1285"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-1285",
          "url": "https://www.suse.com/security/cve/CVE-2026-1285"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257406 for CVE-2026-1285",
          "url": "https://bugzilla.suse.com/1257406"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-02-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-1285"
    },
    {
      "cve": "CVE-2026-1287",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-1287"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-1287",
          "url": "https://www.suse.com/security/cve/CVE-2026-1287"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257407 for CVE-2026-1287",
          "url": "https://bugzilla.suse.com/1257407"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-02-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-1287"
    },
    {
      "cve": "CVE-2026-1312",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-1312"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-1312",
          "url": "https://www.suse.com/security/cve/CVE-2026-1312"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257408 for CVE-2026-1312",
          "url": "https://bugzilla.suse.com/1257408"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-02-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-1312"
    }
  ]
}

CVE-2025-13473 (GCVE-0-2025-13473)

Vulnerability from cvelistv5 – Published: 2026-02-03 14:32 – Updated: 2026-02-03 16:19

Title

Username enumeration through timing difference in mod_wsgi authentication handler

Summary

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-208 - Observable Timing Discrepancy

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/feb/03/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.2 (semver) Unaffected: 6.0.2 (semver) Affected: 5.2 , < 5.2.11 (semver) Unaffected: 5.2.11 (semver) Affected: 4.2 , < 4.2.28 (semver) Unaffected: 4.2.28 (semver)

Credits

Stackered Jake Howard Jacob Walls

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13473",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T16:19:11.902979Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T16:19:15.167Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.2",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.2",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.11",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.11",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.28",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.28",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Stackered"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jake Howard"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-02-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003eThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Stackered for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-54",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-54: Query System for Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T14:32:26.240Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-12T18:00:00",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2025-11-19T18:00:00",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-02-03T08:00:00",
          "value": "Security release issued."
        }
      ],
      "title": "Username enumeration through timing difference in mod_wsgi authentication handler",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2025-13473",
    "datePublished": "2026-02-03T14:32:26.240Z",
    "dateReserved": "2025-11-20T11:44:39.641Z",
    "dateUpdated": "2026-02-03T16:19:15.167Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14550 (GCVE-0-2025-14550)

Vulnerability from cvelistv5 – Published: 2026-02-03 14:38 – Updated: 2026-02-03 16:27

Title

Potential denial-of-service vulnerability via repeated headers when using ASGI

Summary

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/feb/03/…	vendor-advisory

Impacted products

Vendor

Product

Version

djangoproject

Django

Affected: 6.0 , < 6.0.2 (semver)
Unaffected: 6.0.2 (semver)
Affected: 5.2 , < 5.2.11 (semver)
Unaffected: 5.2.11 (semver)
Affected: 4.2 , < 4.2.28 (semver)
Unaffected: 4.2.28 (semver)

djangoproject

asgiref

Affected: 3 , < 3.11.1 (semver)
Unaffected: 3.11.1 (semver)

Credits

Jiyong Yang Jake Howard Jacob Walls

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-14550",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T16:27:25.280447Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T16:27:38.976Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.2",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.2",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.11",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.11",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.28",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.28",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pypi.org/project/asgiref/",
          "defaultStatus": "unaffected",
          "packageName": "asgiref",
          "product": "asgiref",
          "repo": "https://github.com/django/asgiref/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "3.11.1",
              "status": "affected",
              "version": "3",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "3.11.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Jiyong Yang"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jake Howard"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-02-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003e`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Jiyong Yang for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Jiyong Yang for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130: Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "moderate"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T14:38:15.875Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-14T18:00:00",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2025-12-16T18:00:00",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-02-03T08:00:00",
          "value": "Security release issued."
        }
      ],
      "title": "Potential denial-of-service vulnerability via repeated headers when using ASGI",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2025-14550",
    "datePublished": "2026-02-03T14:38:15.875Z",
    "dateReserved": "2025-12-11T20:08:21.400Z",
    "dateUpdated": "2026-02-03T16:27:38.976Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1287 (GCVE-0-2026-1287)

Vulnerability from cvelistv5 – Published: 2026-02-03 14:36 – Updated: 2026-02-03 16:26

Title

Potential SQL injection in column aliases via control characters

Summary

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/feb/03/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.2 (semver) Unaffected: 6.0.2 (semver) Affected: 5.2 , < 5.2.11 (semver) Unaffected: 5.2.11 (semver) Affected: 4.2 , < 4.2.28 (semver) Unaffected: 4.2.28 (semver)

Credits

Solomon Kebede Jake Howard Jacob Walls

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-1287",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T16:26:40.435996Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T16:26:43.253Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.2",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.2",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.11",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.11",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.28",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.28",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Solomon Kebede"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jake Howard"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-02-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003e`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Solomon Kebede for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66: SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "high"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T14:36:03.630Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-12T18:00:00",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-01-26T18:00:00",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-02-03T08:00:00",
          "value": "Security release issued."
        }
      ],
      "title": "Potential SQL injection in column aliases via control characters",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-1287",
    "datePublished": "2026-02-03T14:36:03.630Z",
    "dateReserved": "2026-01-21T14:04:43.515Z",
    "dateUpdated": "2026-02-03T16:26:43.253Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1207 (GCVE-0-2026-1207)

Vulnerability from cvelistv5 – Published: 2026-02-03 14:35 – Updated: 2026-02-03 16:21

Title

Potential SQL injection via raster lookups on PostGIS

Summary

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/feb/03/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.2 (semver) Unaffected: 6.0.2 (semver) Affected: 5.2 , < 5.2.11 (semver) Unaffected: 5.2.11 (semver) Affected: 4.2 , < 4.2.28 (semver) Unaffected: 4.2.28 (semver)

Credits

Tarek Nakkouch Jacob Walls Jacob Walls

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-1207",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T16:21:06.022295Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T16:21:08.811Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.2",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.2",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.11",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.11",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.28",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.28",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Tarek Nakkouch"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jacob Walls"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-02-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003eRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Tarek Nakkouch for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66: SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "high"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T14:35:33.721Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-19T18:00:00",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-01-26T18:00:00",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-02-03T08:00:00",
          "value": "Security release issued."
        }
      ],
      "title": "Potential SQL injection via raster lookups on PostGIS",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-1207",
    "datePublished": "2026-02-03T14:35:33.721Z",
    "dateReserved": "2026-01-19T20:14:06.262Z",
    "dateUpdated": "2026-02-03T16:21:08.811Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1312 (GCVE-0-2026-1312)

Vulnerability from cvelistv5 – Published: 2026-02-03 14:36 – Updated: 2026-02-03 16:56

Title

Potential SQL injection via QuerySet.order_by and FilteredRelation

Summary

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/feb/03/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.2 (semver) Unaffected: 6.0.2 (semver) Affected: 5.2 , < 5.2.11 (semver) Unaffected: 5.2.11 (semver) Affected: 4.2 , < 4.2.28 (semver) Unaffected: 4.2.28 (semver)

Credits

Solomon Kebede Jacob Walls Jacob Walls

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-1312",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T16:56:09.077282Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T16:56:37.936Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.2",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.2",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.11",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.11",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.28",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.28",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Solomon Kebede"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jacob Walls"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-02-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003e`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Solomon Kebede for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66: SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "high"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T14:36:23.257Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-12T18:00:00",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-01-26T18:00:00",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-02-03T08:00:00",
          "value": "Security release issued."
        }
      ],
      "title": "Potential SQL injection via QuerySet.order_by and FilteredRelation",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-1312",
    "datePublished": "2026-02-03T14:36:23.257Z",
    "dateReserved": "2026-01-21T20:45:05.988Z",
    "dateUpdated": "2026-02-03T16:56:37.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1285 (GCVE-0-2026-1285)

Vulnerability from cvelistv5 – Published: 2026-02-03 14:35 – Updated: 2026-02-03 16:22

Title

Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods

Summary

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/feb/03/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.2 (semver) Unaffected: 6.0.2 (semver) Affected: 5.2 , < 5.2.11 (semver) Unaffected: 5.2.11 (semver) Affected: 4.2 , < 4.2.28 (semver) Unaffected: 4.2.28 (semver)

Credits

Seokchan Yoon Natalia Bidart Jacob Walls

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-1285",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T16:22:30.293747Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T16:22:33.352Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.2",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.2",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.11",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.11",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.28",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.28",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Seokchan Yoon"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Natalia Bidart"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-02-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003e`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130: Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "moderate"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T14:35:50.254Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-20T18:00:00",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-01-22T18:00:00",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-02-03T08:00:00",
          "value": "Security release issued."
        }
      ],
      "title": "Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-1285",
    "datePublished": "2026-02-03T14:35:50.254Z",
    "dateReserved": "2026-01-21T12:49:21.258Z",
    "dateUpdated": "2026-02-03T16:22:33.352Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:10145-1

CVE-2025-13473 (GCVE-0-2025-13473)

CVE-2025-14550 (GCVE-0-2025-14550)

CVE-2026-1287 (GCVE-0-2026-1287)

CVE-2026-1207 (GCVE-0-2026-1207)

CVE-2026-1312 (GCVE-0-2026-1312)

CVE-2026-1285 (GCVE-0-2026-1285)

Tags

Sightings

Nomenclature