Django — CVE history (PyPI)
Django
86 CVEs affect the Django PyPI package (highest CVSS 9.8). Latest disclosed: 2026-06-03. Full CVE history sourced from NVD.
Summary
- Package
Django(PyPI)- Total CVEs
86- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2026-06-03
Recent CVEs (top 20)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-8404 | Low | 3.1 | — | 2026-06-03 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. |
CVE-2026-7666 | Low | 3.1 | — | 2026-06-03 | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. |
CVE-2026-6873 | Low | 3.1 | — | 2026-06-03 | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. |
CVE-2026-48587 | Low | 3.1 | — | 2026-06-03 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. |
CVE-2026-35193 | Low | 3.1 | — | 2026-06-03 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. |
CVE-2026-6907 | Medium | 4.3 | — | 2026-05-05 | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. |
CVE-2026-5766 | Medium | 5.3 | — | 2026-05-05 | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. |
CVE-2026-35192 | Medium | 6.5 | — | 2026-05-05 | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. |
CVE-2026-33034 | — | — | — | 2026-04-07 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. |
CVE-2026-33033 | — | — | — | 2026-04-07 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. |
CVE-2026-4292 | — | — | — | 2026-04-07 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. |
CVE-2026-4277 | — | — | — | 2026-04-07 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. |
CVE-2026-3902 | — | — | — | 2026-04-07 | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. |
CVE-2026-25674 | — | — | — | 2026-03-03 | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. |
CVE-2026-25673 | — | — | — | 2026-03-03 | An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. |
CVE-2025-14550 | — | — | — | 2026-02-03 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. |
CVE-2026-1312 | — | — | — | 2026-02-03 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. |
CVE-2026-1287 | — | — | — | 2026-02-03 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. |
CVE-2026-1285 | — | — | — | 2026-02-03 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. |
CVE-2026-1207 | — | — | — | 2026-02-03 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2016-9013 | Critical | 9.8 | — | 2016-12-09 | Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain acces… |
CVE-2016-9014 | High | 8.1 | — | 2016-12-09 | Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings… |
CVE-2016-7401 | High | 7.5 | — | 2016-10-03 | The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies. |
CVE-2016-2512 | High | 7.4 | — | 2016-04-08 | The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a U… |
CVE-2025-59681 | High | 7.1 | — | 2025-10-01 | An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. |
CVE-2025-57833 | High | 7.1 | — | 2025-09-03 | An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. |
CVE-2026-35192 | Medium | 6.5 | — | 2026-05-05 | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. |
CVE-2017-12794 | Medium | 6.1 | — | 2017-09-07 | In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. |
CVE-2017-7234 | Medium | 6.1 | — | 2017-04-04 | A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability. |
CVE-2017-7233 | Medium | 6.1 | — | 2017-04-04 | Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. |