Django-4.2.18-py3-none-any.whl: 10 vulnerabilities (highest severity is: 9.1) #43
Description
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (Django version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-64459 |  Critical |
9.1 | Django-4.2.18-py3-none-any.whl | Direct | https://github.com/django/django.git - 5.1.14,https://github.com/django/django.git - 4.2.26,django - 5.2.8,https://github.com/django/django.git - 5.2.8,django - 5.1.14,django - 4.2.26 | ❌ |
| CVE-2025-64460 |  High |
7.5 | Django-4.2.18-py3-none-any.whl | Direct | 4.2.27 | ❌ |
| CVE-2025-64458 | High |
7.5 | Django-4.2.18-py3-none-any.whl | Direct | django - 4.2.26,django - 5.1.14,django - 5.2.8,https://github.com/django/django.git - 5.2.26,https://github.com/django/django.git - 5.2.8,https://github.com/django/django.git - 5.1.14 | ❌ |
| CVE-2025-59681 | High |
7.1 | Django-4.2.18-py3-none-any.whl | Direct | 4.2.25 | ❌ |
| CVE-2025-57833 | High |
7.1 | Django-4.2.18-py3-none-any.whl | Direct | 4.2.24 | ❌ |
| CVE-2025-32873 |  Medium |
5.3 | Django-4.2.18-py3-none-any.whl | Direct | Django - 4.2.21,https://github.com/django/django.git - 5.2.1,https://github.com/django/django.git - 5.1.9,Django - 5.1.9,https://github.com/django/django.git - 4.2.21,Django - 5.2.1 | ❌ |
| CVE-2025-26699 | Medium |
5.0 | Django-4.2.18-py3-none-any.whl | Direct | 5.0.13,4.2.20,5.1.7 | ❌ |
| CVE-2025-13372 | Medium |
4.3 | Django-4.2.18-py3-none-any.whl | Direct | 4.2.27 | ❌ |
| CVE-2025-48432 | Medium |
4.0 | Django-4.2.18-py3-none-any.whl | Direct | 4.2.22 | ❌ |
| CVE-2025-59682 |  Low |
3.1 | Django-4.2.18-py3-none-any.whl | Direct | 4.2.25 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-64459
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods "QuerySet.filter()", "QuerySet.exclude()", and "QuerySet.get()", and the class "Q()", are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the "_connector" argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64459
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-05
Fix Resolution: https://github.com/django/django.git - 5.1.14,https://github.com/django/django.git - 4.2.26,django - 5.2.8,https://github.com/django/django.git - 5.2.8,django - 5.1.14,django - 4.2.26
Step up your Open Source Security Game with Mend here
CVE-2025-64460
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in "django.core.serializers.xml_serializer.getInnerText()" allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML "Deserializer".
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2025-12-02
URL: CVE-2025-64460
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
Release Date: 2025-12-02
Fix Resolution: 4.2.27
Step up your Open Source Security Game with Mend here
CVE-2025-64458
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, "django.http.HttpResponseRedirect", "django.http.HttpResponsePermanentRedirect", and the shortcut "django.shortcuts.redirect" were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64458
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-qw25-v68c-qjf3
Release Date: 2025-11-05
Fix Resolution: django - 4.2.26,django - 5.1.14,django - 5.2.8,https://github.com/django/django.git - 5.2.26,https://github.com/django/django.git - 5.2.8,https://github.com/django/django.git - 5.1.14
Step up your Open Source Security Game with Mend here
CVE-2025-59681
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Publish Date: 2025-10-01
URL: CVE-2025-59681
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-hpr9-3m2g-3j9p
Release Date: 2025-10-01
Fix Resolution: 4.2.25
Step up your Open Source Security Game with Mend here
CVE-2025-57833
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Publish Date: 2025-09-03
URL: CVE-2025-57833
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2025/sep/03/security-releases/
Release Date: 2025-09-03
Fix Resolution: 4.2.24
Step up your Open Source Security Game with Mend here
CVE-2025-32873
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Publish Date: 2025-05-08
URL: CVE-2025-32873
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-8j24-cjrq-gr2m
Release Date: 2025-05-08
Fix Resolution: Django - 4.2.21,https://github.com/django/django.git - 5.2.1,https://github.com/django/django.git - 5.1.9,Django - 5.1.9,https://github.com/django/django.git - 4.2.21,Django - 5.2.1
Step up your Open Source Security Game with Mend here
CVE-2025-26699
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Publish Date: 2025-03-06
URL: CVE-2025-26699
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-p3fp-8748-vqfq
Release Date: 2025-03-06
Fix Resolution: 5.0.13,4.2.20,5.1.7
Step up your Open Source Security Game with Mend here
CVE-2025-13372
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
"FilteredRelation" is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the "**kwargs" passed to "QuerySet.annotate()" or "QuerySet.alias()" on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Publish Date: 2025-12-02
URL: CVE-2025-13372
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://docs.djangoproject.com/en/dev/releases/security/
Release Date: 2025-12-02
Fix Resolution: 4.2.27
Step up your Open Source Security Game with Mend here
CVE-2025-48432
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
Publish Date: 2025-06-05
URL: CVE-2025-48432
CVSS 3 Score Details (4.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
Release Date: 2025-06-05
Fix Resolution: 4.2.22
Step up your Open Source Security Game with Mend here
CVE-2025-59682
Vulnerable Library - Django-4.2.18-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/93/76/39c641b5787e5e61f35b9d29c6f19bf94506bf7be3e48249f72233c4625d/Django-4.2.18-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/Django-4.2.18.dist-info
Dependency Hierarchy:
- ❌ Django-4.2.18-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Publish Date: 2025-10-01
URL: CVE-2025-59682
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-q95w-c7qg-hrff
Release Date: 2025-10-01
Fix Resolution: 4.2.25
Step up your Open Source Security Game with Mend here