Archive of security issues

Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.

As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).

Some important caveats apply to this information:

  • Lists of affected versions include only those versions of Django which had stable, security-supported releases at the time of disclosure. This means older versions (whose security support had expired) and versions which were in pre-release (alpha/beta/RC) states at the time of disclosure may have been affected, but are not listed.
  • The Django project has on occasion issued security advisories, pointing out potential security problems which can arise from improper configuration or from other issues outside of Django itself. Some of these advisories have received CVEs; when that is the case, they are listed here, but as they have no accompanying patches or releases, only the description, disclosure and CVE will be listed.

Issues prior to Django’s security process

Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.

August 16, 2006 - :cve:`2007-0404`

Filename validation issue in translation framework. Full description

Versions affected


January 21, 2007 - :cve:`2007-0405`

Apparent “caching” of authenticated user. Full description

Versions affected


Issues under Django’s security process

All other security issues have been handled under versions of Django’s security process. These are listed below.

October 26, 2007 - :cve:`2007-5712`

Denial-of-service via arbitrarily-large Accept-Language header. Full description

May 14, 2008 - :cve:`2008-2302`

XSS via admin login redirect. Full description

September 2, 2008 - :cve:`2008-3909`

CSRF via preservation of POST data during admin login. Full description

July 28, 2009 - :cve:`2009-2659`

Directory-traversal in development server media handler. Full description

Versions affected


October 9, 2009 - :cve:`2009-3965`

Denial-of-service via pathological regular expression performance. Full description

Versions affected


September 8, 2010 - :cve:`2010-3082`

XSS via trusting unsafe cookie value. Full description

Versions affected


December 22, 2010 - :cve:`2010-4534`

Information leakage in administrative interface. Full description

Versions affected


December 22, 2010 - :cve:`2010-4535`

Denial-of-service in password-reset mechanism. Full description

Versions affected


February 8, 2011 - :cve:`2011-0696`

CSRF via forged HTTP headers. Full description

Versions affected


February 8, 2011 - :cve:`2011-0697`

XSS via unsanitized names of uploaded files. Full description

Versions affected


February 8, 2011 - :cve:`2011-0698`

Directory-traversal on Windows via incorrect path-separator handling. Full description

Versions affected


September 9, 2011 - :cve:`2011-4136`

Session manipulation when using memory-cache-backed session. Full description

Versions affected


September 9, 2011 - :cve:`2011-4137`

Denial-of-service via URLField.verify_exists. Full description

Versions affected


September 9, 2011 - :cve:`2011-4138`

Information leakage/arbitrary request issuance via URLField.verify_exists. Full description

Versions affected


September 9, 2011 - :cve:`2011-4139`

Host header cache poisoning. Full description

Versions affected


September 9, 2011 - :cve:`2011-4140`

Potential CSRF via Host header. Full description

Versions affected

This notification was an advisory only, so no patches were issued.

  • Django 1.2
  • Django 1.3


July 30, 2012 - :cve:`2012-3442`

XSS via failure to validate redirect scheme. Full description

July 30, 2012 - :cve:`2012-3443`

Denial-of-service via compressed image files. Full description

Versions affected


July 30, 2012 - :cve:`2012-3444`

Denial-of-service via large image files. Full description

October 17, 2012 - :cve:`2012-4520`

Host header poisoning. Full description

December 10, 2012 - No CVE 1

Additional hardening of Host header handling. Full description

December 10, 2012 - No CVE 2

Additional hardening of redirect validation. Full description

February 19, 2013 - No CVE

Additional hardening of Host header handling. Full description

February 19, 2013 - :cve:`2013-1664` / :cve:`2013-1665`

Entity-based attacks against Python XML libraries. Full description

February 19, 2013 - :cve:`2013-0305`

Information leakage via admin history log. Full description

February 19, 2013 - :cve:`2013-0306`

Denial-of-service via formset max_num bypass. Full description

August 13, 2013 - :cve:`2013-4249`

XSS via admin trusting URLField values. Full description

August 13, 2013 - :cve:`2013-6044`

Possible XSS via unvalidated URL redirect schemes. Full description

September 10, 2013 - :cve:`2013-4315`

Directory-traversal via ssi template tag. Full description

April 21, 2014 - :cve:`2014-0472`

Unexpected code execution using reverse(). Full description

April 21, 2014 - :cve:`2014-0473`

Caching of anonymous pages could reveal CSRF token. Full description

April 21, 2014 - :cve:`2014-0474`

MySQL typecasting causes unexpected query results. Full description

May 18, 2014 - :cve:`2014-3730`

Malformed URLs from user input incorrectly validated. Full description

August 20, 2014 - :cve:`2014-0480`

reverse() can generate URLs pointing to other hosts. Full description

August 20, 2014 - :cve:`2014-0482`

RemoteUserMiddleware session hijacking. Full description

August 20, 2014 - :cve:`2014-0483`

Data leakage via querystring manipulation in admin. Full description

January 13, 2015 - :cve:`2015-0219`

WSGI header spoofing via underscore/dash conflation. Full description

January 13, 2015 - :cve:`2015-0220`

Mitigated possible XSS attack via user-supplied redirect URLs. Full description

January 13, 2015 - :cve:`2015-0221`

Denial-of-service attack against django.views.static.serve(). Full description

January 13, 2015 - :cve:`2015-0222`

Database denial-of-service with ModelMultipleChoiceField. Full description

Versions affected


March 9, 2015 - :cve:`2015-2241`

XSS attack via properties in ModelAdmin.readonly_fields. Full description

March 18, 2015 - :cve:`2015-2316`

Denial-of-service possibility with strip_tags(). Full description

May 20, 2015 - :cve:`2015-3982`

Fixed session flushing in the cached_db backend. Full description

July 8, 2015 - :cve:`2015-5143`

Denial-of-service possibility by filling session store. Full description

July 8, 2015 - :cve:`2015-5144`

Header injection possibility since validators accept newlines in input. Full description

July 8, 2015 - :cve:`2015-5145`

Denial-of-service possibility in URL validation. Full description

August 18, 2015 - :cve:`2015-5963` / :cve:`2015-5964`

Denial-of-service possibility in logout() view by filling session store. Full description

November 24, 2015 - :cve:`2015-8213`

Settings leak possibility in date template filter. Full description

February 1, 2016 - :cve:`2016-2048`

User with “change” but not “add” permission can create objects for ModelAdmin’s with save_as=True. Full description

Versions affected


March 1, 2016 - :cve:`2016-2512`

Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description

March 1, 2016 - :cve:`2016-2513`

User enumeration through timing difference on password hasher work factor upgrade. Full description

Versions affected


July 18, 2016 - :cve:`2016-6186`

XSS in admin’s add/change related popup. Full description

Versions affected


September 26, 2016 - :cve:`2016-7401`

CSRF protection bypass on a site with Google Analytics. Full description

November 1, 2016 - :cve:`2016-9013`

User with hardcoded password created when running tests on Oracle. Full description

November 1, 2016 - :cve:`2016-9014`

DNS rebinding vulnerability when DEBUG=True. Full description

April 4, 2017 - :cve:`2017-7233`

Open redirect and possible XSS attack via user-supplied numeric redirect URLs. Full description

April 4, 2017 - :cve:`2017-7234`

Open redirect vulnerability in django.views.static.serve(). Full description

September 5, 2017 - :cve:`2017-12794`

Possible XSS in traceback section of technical 500 debug page. Full description

February 1, 2018 - :cve:`2018-6188`

Information leakage in AuthenticationForm. Full description

March 6, 2018 - :cve:`2018-7536`

Denial-of-service possibility in urlize and urlizetrunc template filters. Full description

March 6, 2018 - :cve:`2018-7537`

Denial-of-service possibility in truncatechars_html and truncatewords_html template filters. Full description

August 1, 2018 - :cve:`2018-14574`

Open redirect possibility in CommonMiddleware. Full description

October 1, 2018 - :cve:`2018-16984`

Password hash disclosure to “view only” admin users. Full description

Versions affected


January 4, 2019 - :cve:`2019-3498`

Content spoofing possibility in the default 404 page. Full description

June 3, 2019 - :cve:`2019-11358`

Prototype pollution in bundled jQuery. Full description

June 3, 2019 - :cve:`2019-12308`

XSS via “Current URL” link generated by AdminURLFieldWidget. Full description

July 1, 2019 - :cve:`2019-12781`

Incorrect HTTP detection with reverse-proxy connecting via HTTPS. Full description

August 1, 2019 - :cve:`2019-14232`

Denial-of-service possibility in django.utils.text.Truncator. Full description

August 1, 2019 - :cve:`2019-14233`

Denial-of-service possibility in strip_tags(). Full description

August 1, 2019 - :cve:`2019-14234`

SQL injection possibility in key and index lookups for JSONField/HStoreField. Full description

August 1, 2019 - :cve:`2019-14235`

Potential memory exhaustion in django.utils.encoding.uri_to_iri(). Full description

December 2, 2019 - :cve:`2019-19118`

Privilege escalation in the Django admin. Full description

December 18, 2019 - :cve:`2019-19844`

Potential account hijack via password reset form. Full description

February 3, 2020 - :cve:`2020-7471`

Potential SQL injection via StringAgg(delimiter). Full description

March 4, 2020 - :cve:`2020-9402`

Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle. Full description

June 3, 2020 - :cve:`2020-13254`

Potential data leakage via malformed memcached keys. Full description

June 3, 2020 - :cve:`2020-13596`

Possible XSS via admin ForeignKeyRawIdWidget. Full description

September 1, 2020 - :cve:`2020-24583`

Incorrect permissions on intermediate-level directories on Python 3.7+. Full description

September 1, 2020 - :cve:`2020-24584`

Permission escalation in intermediate-level directories of the file system cache on Python 3.7+. Full description

February 1, 2021 - :cve:`2021-3281`

Potential directory-traversal via archive.extract(). Full description

February 19, 2021 - :cve:`2021-23336`

Web cache poisoning via django.utils.http.limited_parse_qsl(). Full description

April 6, 2021 - :cve:`2021-28658`

Potential directory-traversal via uploaded files. Full description