Django — свободный фреймворк для веб-приложений на языке Python, использующий шаблон проектирования MVC
Релизный цикл, информация об уязвимостях
График релизов
Количество 750
CVE-2025-59682
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
CVE-2025-59682
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13 ...
CVE-2025-59681
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
CVE-2025-59681
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13 ...
CVE-2025-59682
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
CVE-2025-59681
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
BDU:2025-12461
Уязвимость методов QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() программной платформы для веб-приложений Django, позволяющая нарушителю оказать влияние на конфиденциальность и целостность защищаемой информации
BDU:2025-12661
Уязвимость функции django.utils.archive.extract() программной платформы для веб-приложений Django, позволяющая нарушителю обойти ограничения безопасности
GHSA-6w2r-r2m5-xq5w
Django is subject to SQL injection through its column aliases
SUSE-SU-2025:03074-1
Security update for python-Django
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2025-59682 An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. | CVSS3: 3.1 | 0% Низкий | 3 месяца назад |
| CVE-2025-59682 An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13 ... | CVSS3: 3.1 | 0% Низкий | 3 месяца назад |
| CVE-2025-59681 An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). | CVSS3: 7.1 | 0% Низкий | 3 месяца назад |
| CVE-2025-59681 An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13 ... | CVSS3: 7.1 | 0% Низкий | 3 месяца назад |
 | CVE-2025-59682 An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. | CVSS3: 3.1 | 0% Низкий | 3 месяца назад |
| CVE-2025-59681 An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB). | CVSS3: 7.1 | 0% Низкий | 3 месяца назад |
 | BDU:2025-12461 Уязвимость методов QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() программной платформы для веб-приложений Django, позволяющая нарушителю оказать влияние на конфиденциальность и целостность защищаемой информации | CVSS3: 7.1 | 0% Низкий | 3 месяца назад |
| BDU:2025-12661 Уязвимость функции django.utils.archive.extract() программной платформы для веб-приложений Django, позволяющая нарушителю обойти ограничения безопасности | CVSS3: 3.1 | 0% Низкий | 3 месяца назад |
| GHSA-6w2r-r2m5-xq5w Django is subject to SQL injection through its column aliases | CVSS3: 7.1 | 0% Низкий | 3 месяца назад |
 | SUSE-SU-2025:03074-1 Security update for python-Django | 0% Низкий | 4 месяца назад |
Уязвимостей на страницу