Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-13473 (GCVE-0-2025-13473)
Vulnerability from cvelistv5 – Published: 2026-02-03 14:32 – Updated: 2026-02-03 16:19
VLAI?
EPSS
Title
Username enumeration through timing difference in mod_wsgi authentication handler
Summary
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Severity ?
No CVSS data available.
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
6.0 , < 6.0.2
(semver)
Unaffected: 6.0.2 (semver) Affected: 5.2 , < 5.2.11 (semver) Unaffected: 5.2.11 (semver) Affected: 4.2 , < 4.2.28 (semver) Unaffected: 4.2.28 (semver) |
Credits
Stackered
Jake Howard
Jacob Walls
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T16:19:11.902979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T16:19:15.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "6.0.2",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "6.0.2",
"versionType": "semver"
},
{
"lessThan": "5.2.11",
"status": "affected",
"version": "5.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.2.11",
"versionType": "semver"
},
{
"lessThan": "4.2.28",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.28",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stackered"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jake Howard"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jacob Walls"
}
],
"datePublic": "2026-02-03T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003eThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Stackered for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54: Query System for Information"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "low"
},
"type": "Django severity rating"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T14:32:26.240Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-11-12T18:00:00.000Z",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2025-11-19T18:00:00.000Z",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2026-02-03T08:00:00.000Z",
"value": "Security release issued."
}
],
"title": "Username enumeration through timing difference in mod_wsgi authentication handler",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2025-13473",
"datePublished": "2026-02-03T14:32:26.240Z",
"dateReserved": "2025-11-20T11:44:39.641Z",
"dateUpdated": "2026-02-03T16:19:15.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-13473\",\"sourceIdentifier\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"published\":\"2026-02-03T15:16:11.593\",\"lastModified\":\"2026-02-04T17:10:36.833\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\\nDjango would like to thank Stackered for reporting this issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-208\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2\",\"versionEndExcluding\":\"4.2.28\",\"matchCriteriaId\":\"59566A1F-D2C5-43D6-97AA-258EFD90B937\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.2\",\"versionEndExcluding\":\"5.2.11\",\"matchCriteriaId\":\"845BC013-1341-4D81-A5F1-507C814ABA7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0\",\"versionEndExcluding\":\"6.0.2\",\"matchCriteriaId\":\"4ACBCB7B-B8F4-4EEF-842D-0CCB8674BCD2\"}]}]}],\"references\":[{\"url\":\"https://docs.djangoproject.com/en/dev/releases/security/\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"tags\":[\"Vendor Advisory\",\"Patch\"]},{\"url\":\"https://groups.google.com/g/django-announce\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-13473\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-03T16:19:11.902979Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-03T16:18:59.825Z\"}}], \"cna\": {\"title\": \"Username enumeration through timing difference in mod_wsgi authentication handler\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Stackered\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Jake Howard\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"Jacob Walls\"}], \"impacts\": [{\"capecId\": \"CAPEC-54\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-54: Query System for Information\"}]}], \"metrics\": [{\"other\": {\"type\": \"Django severity rating\", \"content\": {\"value\": \"low\", \"namespace\": \"https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels\"}}}], \"affected\": [{\"repo\": \"https://github.com/django/django/\", \"vendor\": \"djangoproject\", \"product\": \"Django\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"6.0.2\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.0.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.2\", \"lessThan\": \"5.2.11\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.2.11\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.2\", \"lessThan\": \"4.2.28\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.2.28\", \"versionType\": \"semver\"}], \"packageName\": \"django\", \"collectionURL\": \"https://pypi.org/project/Django/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-11-12T18:00:00\", \"value\": \"Initial report received.\"}, {\"lang\": \"en\", \"time\": \"2025-11-19T18:00:00\", \"value\": \"Vulnerability confirmed.\"}, {\"lang\": \"en\", \"time\": \"2026-02-03T08:00:00\", \"value\": \"Security release issued.\"}], \"datePublic\": \"2026-02-03T08:00:00.000Z\", \"references\": [{\"url\": \"https://docs.djangoproject.com/en/dev/releases/security/\", \"name\": \"Django security archive\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://groups.google.com/g/django-announce\", \"name\": \"Django releases announcements\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/\", \"name\": \"Django security releases issued: 6.0.2, 5.2.11, and 4.2.28\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\\nDjango would like to thank Stackered for reporting this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003eThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Stackered for reporting this issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-208\", \"description\": \"CWE-208: Observable Timing Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"shortName\": \"DSF\", \"dateUpdated\": \"2026-02-03T14:32:26.240Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-13473\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-03T16:19:15.167Z\", \"dateReserved\": \"2025-11-20T11:44:39.641Z\", \"assignerOrgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"datePublished\": \"2026-02-03T14:32:26.240Z\", \"assignerShortName\": \"DSF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-13473
Vulnerability from fkie_nvd - Published: 2026-02-03 15:16 - Updated: 2026-02-04 17:10
Severity ?
Summary
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | django | * | |
| djangoproject | django | * | |
| djangoproject | django | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59566A1F-D2C5-43D6-97AA-258EFD90B937",
"versionEndExcluding": "4.2.28",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"matchCriteriaId": "845BC013-1341-4D81-A5F1-507C814ABA7E",
"versionEndExcluding": "5.2.11",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4ACBCB7B-B8F4-4EEF-842D-0CCB8674BCD2",
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en 6.0 anterior a 6.0.2, 5.2 anterior a 5.2.11, y 4.2 anterior a 4.2.28.\nLa funci\u00f3n \u0027django.contrib.auth.handlers.modwsgi.check_password()\u0027 para autenticaci\u00f3n a trav\u00e9s de \u0027mod_wsgi\u0027 permite a atacantes remotos enumerar usuarios mediante un ataque de temporizaci\u00f3n.\nSeries de Django anteriores no soportadas (como 5.0.x, 4.1.x, y 3.2.x) no fueron evaluadas y tambi\u00e9n podr\u00edan estar afectadas.\nDjango desea agradecer a Stackered por reportar este problema."
}
],
"id": "CVE-2025-13473",
"lastModified": "2026-02-04T17:10:36.833",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2026-02-03T15:16:11.593",
"references": [
{
"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"tags": [
"Vendor Advisory",
"Patch"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"tags": [
"Release Notes"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
}
],
"sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-208"
}
],
"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"type": "Secondary"
}
]
}
WID-SEC-W-2026-0297
Vulnerability from csaf_certbund - Published: 2026-02-03 23:00 - Updated: 2026-02-19 23:00Summary
Django: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Django ist ein in Python geschriebenes serverseitiges Web-Framework, das einem Model-View-Presenter-Schema folgt.
Angriff
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Django ausnutzen, um SQL-Injektionen durchzuführen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Django ist ein in Python geschriebenes serverseitiges Web-Framework, das einem Model-View-Presenter-Schema folgt.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Django ausnutzen, um SQL-Injektionen durchzuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0297 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0297.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0297 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0297"
},
{
"category": "external",
"summary": "Django security releases vom 2026-02-03",
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:0037-1 vom 2026-02-05",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WX42CFZ2AQTSZLBB3PTABNCVT24BY5LD/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10145-1 vom 2026-02-05",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6YXRDGNO2VRFCYEO7S5XCYOEEC7OHQBJ/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10160-1 vom 2026-02-07",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YHMF6TKLQHY64LIBBUZG6MVNZG67XCLF/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20184-1 vom 2026-02-08",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ODQCVGK27AYTTSMYPSEXFVQA2TBTRMAZ/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0440-1 vom 2026-02-11",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024108.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10216-1 vom 2026-02-18",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3W7YNK2GGKJUDPRXM3ZFCF437GO2IFDX/"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2026-00B5BF3150 vom 2026-02-19",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-00b5bf3150"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4484 vom 2026-02-19",
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00023.html"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2026-3ADB735295 vom 2026-02-19",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-3adb735295"
}
],
"source_lang": "en-US",
"title": "Django: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-02-19T23:00:00.000+00:00",
"generator": {
"date": "2026-02-20T09:20:45.861+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0297",
"initial_release_date": "2026-02-03T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-02-03T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-02-04T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-02-05T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-02-08T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-02-11T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-02-18T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-02-19T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Fedora und Debian aufgenommen"
}
],
"status": "final",
"version": "7"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Fedora Linux",
"product": {
"name": "Fedora Linux",
"product_id": "74185",
"product_identification_helper": {
"cpe": "cpe:/o:fedoraproject:fedora:-"
}
}
}
],
"category": "vendor",
"name": "Fedora"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.0.2",
"product": {
"name": "Open Source Django \u003c6.0.2",
"product_id": "T050499"
}
},
{
"category": "product_version",
"name": "6.0.2",
"product": {
"name": "Open Source Django 6.0.2",
"product_id": "T050499-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:djangoproject:django:6.0.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.2.11",
"product": {
"name": "Open Source Django \u003c5.2.11",
"product_id": "T050500"
}
},
{
"category": "product_version",
"name": "5.2.11",
"product": {
"name": "Open Source Django 5.2.11",
"product_id": "T050500-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:djangoproject:django:5.2.11"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.2.28",
"product": {
"name": "Open Source Django \u003c4.2.28",
"product_id": "T050501"
}
},
{
"category": "product_version",
"name": "4.2.28",
"product": {
"name": "Open Source Django 4.2.28",
"product_id": "T050501-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:djangoproject:django:4.2.28"
}
}
}
],
"category": "product_name",
"name": "Django"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13473",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T027843",
"T050499",
"T050501",
"T050500",
"74185"
]
},
"release_date": "2026-02-03T23:00:00.000+00:00",
"title": "CVE-2025-13473"
},
{
"cve": "CVE-2026-1207",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T027843",
"T050499",
"T050501",
"T050500",
"74185"
]
},
"release_date": "2026-02-03T23:00:00.000+00:00",
"title": "CVE-2026-1207"
},
{
"cve": "CVE-2026-1287",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T027843",
"T050499",
"T050501",
"T050500",
"74185"
]
},
"release_date": "2026-02-03T23:00:00.000+00:00",
"title": "CVE-2026-1287"
},
{
"cve": "CVE-2026-1312",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T027843",
"T050499",
"T050501",
"T050500",
"74185"
]
},
"release_date": "2026-02-03T23:00:00.000+00:00",
"title": "CVE-2026-1312"
},
{
"cve": "CVE-2025-14550",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T027843",
"T050499",
"T050501",
"T050500",
"74185"
]
},
"release_date": "2026-02-03T23:00:00.000+00:00",
"title": "CVE-2025-14550"
},
{
"cve": "CVE-2026-1285",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T027843",
"T050499",
"T050501",
"T050500",
"74185"
]
},
"release_date": "2026-02-03T23:00:00.000+00:00",
"title": "CVE-2026-1285"
}
]
}
OPENSUSE-SU-2026:10247-1
Vulnerability from csaf_opensuse - Published: 2026-02-24 00:00 - Updated: 2026-02-24 00:00Summary
python311-Django4-4.2.28-1.1 on GA media
Notes
Title of the patch
python311-Django4-4.2.28-1.1 on GA media
Description of the patch
These are all security issues fixed in the python311-Django4-4.2.28-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10247
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-Django4-4.2.28-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-Django4-4.2.28-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10247",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10247-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13473 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13473/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-14550 page",
"url": "https://www.suse.com/security/cve/CVE-2025-14550/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1207 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1207/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1285 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1285/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1287 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1287/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1312 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1312/"
}
],
"title": "python311-Django4-4.2.28-1.1 on GA media",
"tracking": {
"current_release_date": "2026-02-24T00:00:00Z",
"generator": {
"date": "2026-02-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10247-1",
"initial_release_date": "2026-02-24T00:00:00Z",
"revision_history": [
{
"date": "2026-02-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-Django4-4.2.28-1.1.aarch64",
"product": {
"name": "python311-Django4-4.2.28-1.1.aarch64",
"product_id": "python311-Django4-4.2.28-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-Django4-4.2.28-1.1.aarch64",
"product": {
"name": "python312-Django4-4.2.28-1.1.aarch64",
"product_id": "python312-Django4-4.2.28-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-Django4-4.2.28-1.1.aarch64",
"product": {
"name": "python313-Django4-4.2.28-1.1.aarch64",
"product_id": "python313-Django4-4.2.28-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-Django4-4.2.28-1.1.ppc64le",
"product": {
"name": "python311-Django4-4.2.28-1.1.ppc64le",
"product_id": "python311-Django4-4.2.28-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-Django4-4.2.28-1.1.ppc64le",
"product": {
"name": "python312-Django4-4.2.28-1.1.ppc64le",
"product_id": "python312-Django4-4.2.28-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-Django4-4.2.28-1.1.ppc64le",
"product": {
"name": "python313-Django4-4.2.28-1.1.ppc64le",
"product_id": "python313-Django4-4.2.28-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-Django4-4.2.28-1.1.s390x",
"product": {
"name": "python311-Django4-4.2.28-1.1.s390x",
"product_id": "python311-Django4-4.2.28-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-Django4-4.2.28-1.1.s390x",
"product": {
"name": "python312-Django4-4.2.28-1.1.s390x",
"product_id": "python312-Django4-4.2.28-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-Django4-4.2.28-1.1.s390x",
"product": {
"name": "python313-Django4-4.2.28-1.1.s390x",
"product_id": "python313-Django4-4.2.28-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-Django4-4.2.28-1.1.x86_64",
"product": {
"name": "python311-Django4-4.2.28-1.1.x86_64",
"product_id": "python311-Django4-4.2.28-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-Django4-4.2.28-1.1.x86_64",
"product": {
"name": "python312-Django4-4.2.28-1.1.x86_64",
"product_id": "python312-Django4-4.2.28-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-Django4-4.2.28-1.1.x86_64",
"product": {
"name": "python313-Django4-4.2.28-1.1.x86_64",
"product_id": "python313-Django4-4.2.28-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django4-4.2.28-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64"
},
"product_reference": "python311-Django4-4.2.28-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django4-4.2.28-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le"
},
"product_reference": "python311-Django4-4.2.28-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django4-4.2.28-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x"
},
"product_reference": "python311-Django4-4.2.28-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django4-4.2.28-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64"
},
"product_reference": "python311-Django4-4.2.28-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django4-4.2.28-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64"
},
"product_reference": "python312-Django4-4.2.28-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django4-4.2.28-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le"
},
"product_reference": "python312-Django4-4.2.28-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django4-4.2.28-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x"
},
"product_reference": "python312-Django4-4.2.28-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django4-4.2.28-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64"
},
"product_reference": "python312-Django4-4.2.28-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django4-4.2.28-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64"
},
"product_reference": "python313-Django4-4.2.28-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django4-4.2.28-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le"
},
"product_reference": "python313-Django4-4.2.28-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django4-4.2.28-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x"
},
"product_reference": "python313-Django4-4.2.28-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django4-4.2.28-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
},
"product_reference": "python313-Django4-4.2.28-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13473",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13473"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13473",
"url": "https://www.suse.com/security/cve/CVE-2025-13473"
},
{
"category": "external",
"summary": "SUSE Bug 1257401 for CVE-2025-13473",
"url": "https://bugzilla.suse.com/1257401"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-13473"
},
{
"cve": "CVE-2025-14550",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-14550"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Jiyong Yang for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-14550",
"url": "https://www.suse.com/security/cve/CVE-2025-14550"
},
{
"category": "external",
"summary": "SUSE Bug 1257403 for CVE-2025-14550",
"url": "https://bugzilla.suse.com/1257403"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-14550"
},
{
"cve": "CVE-2026-1207",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1207"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1207",
"url": "https://www.suse.com/security/cve/CVE-2026-1207"
},
{
"category": "external",
"summary": "SUSE Bug 1257405 for CVE-2026-1207",
"url": "https://bugzilla.suse.com/1257405"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1207"
},
{
"cve": "CVE-2026-1285",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1285"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1285",
"url": "https://www.suse.com/security/cve/CVE-2026-1285"
},
{
"category": "external",
"summary": "SUSE Bug 1257406 for CVE-2026-1285",
"url": "https://bugzilla.suse.com/1257406"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1285"
},
{
"cve": "CVE-2026-1287",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1287"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1287",
"url": "https://www.suse.com/security/cve/CVE-2026-1287"
},
{
"category": "external",
"summary": "SUSE Bug 1257407 for CVE-2026-1287",
"url": "https://bugzilla.suse.com/1257407"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1287"
},
{
"cve": "CVE-2026-1312",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1312"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1312",
"url": "https://www.suse.com/security/cve/CVE-2026-1312"
},
{
"category": "external",
"summary": "SUSE Bug 1257408 for CVE-2026-1312",
"url": "https://bugzilla.suse.com/1257408"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python311-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python312-Django4-4.2.28-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.s390x",
"openSUSE Tumbleweed:python313-Django4-4.2.28-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1312"
}
]
}
OPENSUSE-SU-2026:20184-1
Vulnerability from csaf_opensuse - Published: 2026-02-07 13:45 - Updated: 2026-02-07 13:45Summary
Security update for python-Django
Notes
Title of the patch
Security update for python-Django
Description of the patch
This update for python-Django fixes the following issues:
Changes in python-Django:
- CVE-2026-1312: Fixed potential SQL injection via QuerySet.order_by and FilteredRelation (bsc#1257408).
- CVE-2026-1287: Fixed potential SQL injection in column aliases via control characters (bsc#1257407).
- CVE-2026-1207: Fixed potential SQL injection via raster lookups on PostGIS (bsc#1257405).
- CVE-2026-1285: Fixed potential denial-of-service in django.utils.text.Truncator HTML methods (bsc#1257406).
- CVE-2025-13473: Fixed username enumeration through timing difference in mod_wsgi authentication handler (bsc#1257401).
- CVE-2025-14550: Fixed potential denial-of-service via repeated headers when using ASGI (bsc#1257403).
Patchnames
openSUSE-Leap-16.0-packagehub-113
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-Django",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-Django fixes the following issues:\n\nChanges in python-Django:\n\n- CVE-2026-1312: Fixed potential SQL injection via QuerySet.order_by and FilteredRelation (bsc#1257408).\n- CVE-2026-1287: Fixed potential SQL injection in column aliases via control characters (bsc#1257407).\n- CVE-2026-1207: Fixed potential SQL injection via raster lookups on PostGIS (bsc#1257405).\n- CVE-2026-1285: Fixed potential denial-of-service in django.utils.text.Truncator HTML methods (bsc#1257406).\n- CVE-2025-13473: Fixed username enumeration through timing difference in mod_wsgi authentication handler (bsc#1257401).\n- CVE-2025-14550: Fixed potential denial-of-service via repeated headers when using ASGI (bsc#1257403).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-113",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20184-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1257401",
"url": "https://bugzilla.suse.com/1257401"
},
{
"category": "self",
"summary": "SUSE Bug 1257403",
"url": "https://bugzilla.suse.com/1257403"
},
{
"category": "self",
"summary": "SUSE Bug 1257405",
"url": "https://bugzilla.suse.com/1257405"
},
{
"category": "self",
"summary": "SUSE Bug 1257406",
"url": "https://bugzilla.suse.com/1257406"
},
{
"category": "self",
"summary": "SUSE Bug 1257407",
"url": "https://bugzilla.suse.com/1257407"
},
{
"category": "self",
"summary": "SUSE Bug 1257408",
"url": "https://bugzilla.suse.com/1257408"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13473 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13473/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-14550 page",
"url": "https://www.suse.com/security/cve/CVE-2025-14550/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1207 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1207/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1285 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1285/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1287 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1287/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1312 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1312/"
}
],
"title": "Security update for python-Django",
"tracking": {
"current_release_date": "2026-02-07T13:45:17Z",
"generator": {
"date": "2026-02-07T13:45:17Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20184-1",
"initial_release_date": "2026-02-07T13:45:17Z",
"revision_history": [
{
"date": "2026-02-07T13:45:17Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-Django-5.2.4-bp160.5.1.noarch",
"product": {
"name": "python313-Django-5.2.4-bp160.5.1.noarch",
"product_id": "python313-Django-5.2.4-bp160.5.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django-5.2.4-bp160.5.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
},
"product_reference": "python313-Django-5.2.4-bp160.5.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13473",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13473"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13473",
"url": "https://www.suse.com/security/cve/CVE-2025-13473"
},
{
"category": "external",
"summary": "SUSE Bug 1257401 for CVE-2025-13473",
"url": "https://bugzilla.suse.com/1257401"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-07T13:45:17Z",
"details": "important"
}
],
"title": "CVE-2025-13473"
},
{
"cve": "CVE-2025-14550",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-14550"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Jiyong Yang for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-14550",
"url": "https://www.suse.com/security/cve/CVE-2025-14550"
},
{
"category": "external",
"summary": "SUSE Bug 1257403 for CVE-2025-14550",
"url": "https://bugzilla.suse.com/1257403"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-07T13:45:17Z",
"details": "important"
}
],
"title": "CVE-2025-14550"
},
{
"cve": "CVE-2026-1207",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1207"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1207",
"url": "https://www.suse.com/security/cve/CVE-2026-1207"
},
{
"category": "external",
"summary": "SUSE Bug 1257405 for CVE-2026-1207",
"url": "https://bugzilla.suse.com/1257405"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-07T13:45:17Z",
"details": "important"
}
],
"title": "CVE-2026-1207"
},
{
"cve": "CVE-2026-1285",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1285"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1285",
"url": "https://www.suse.com/security/cve/CVE-2026-1285"
},
{
"category": "external",
"summary": "SUSE Bug 1257406 for CVE-2026-1285",
"url": "https://bugzilla.suse.com/1257406"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-07T13:45:17Z",
"details": "important"
}
],
"title": "CVE-2026-1285"
},
{
"cve": "CVE-2026-1287",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1287"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1287",
"url": "https://www.suse.com/security/cve/CVE-2026-1287"
},
{
"category": "external",
"summary": "SUSE Bug 1257407 for CVE-2026-1287",
"url": "https://bugzilla.suse.com/1257407"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-07T13:45:17Z",
"details": "important"
}
],
"title": "CVE-2026-1287"
},
{
"cve": "CVE-2026-1312",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1312"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1312",
"url": "https://www.suse.com/security/cve/CVE-2026-1312"
},
{
"category": "external",
"summary": "SUSE Bug 1257408 for CVE-2026-1312",
"url": "https://bugzilla.suse.com/1257408"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-07T13:45:17Z",
"details": "important"
}
],
"title": "CVE-2026-1312"
}
]
}
OPENSUSE-SU-2026:10145-1
Vulnerability from csaf_opensuse - Published: 2026-02-04 00:00 - Updated: 2026-02-04 00:00Summary
python312-Django6-6.0.2-1.1 on GA media
Notes
Title of the patch
python312-Django6-6.0.2-1.1 on GA media
Description of the patch
These are all security issues fixed in the python312-Django6-6.0.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10145
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python312-Django6-6.0.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python312-Django6-6.0.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10145",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10145-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13473 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13473/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-14550 page",
"url": "https://www.suse.com/security/cve/CVE-2025-14550/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1207 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1207/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1285 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1285/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1287 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1287/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1312 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1312/"
}
],
"title": "python312-Django6-6.0.2-1.1 on GA media",
"tracking": {
"current_release_date": "2026-02-04T00:00:00Z",
"generator": {
"date": "2026-02-04T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10145-1",
"initial_release_date": "2026-02-04T00:00:00Z",
"revision_history": [
{
"date": "2026-02-04T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python312-Django6-6.0.2-1.1.aarch64",
"product": {
"name": "python312-Django6-6.0.2-1.1.aarch64",
"product_id": "python312-Django6-6.0.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-Django6-6.0.2-1.1.aarch64",
"product": {
"name": "python313-Django6-6.0.2-1.1.aarch64",
"product_id": "python313-Django6-6.0.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python312-Django6-6.0.2-1.1.ppc64le",
"product": {
"name": "python312-Django6-6.0.2-1.1.ppc64le",
"product_id": "python312-Django6-6.0.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-Django6-6.0.2-1.1.ppc64le",
"product": {
"name": "python313-Django6-6.0.2-1.1.ppc64le",
"product_id": "python313-Django6-6.0.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python312-Django6-6.0.2-1.1.s390x",
"product": {
"name": "python312-Django6-6.0.2-1.1.s390x",
"product_id": "python312-Django6-6.0.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-Django6-6.0.2-1.1.s390x",
"product": {
"name": "python313-Django6-6.0.2-1.1.s390x",
"product_id": "python313-Django6-6.0.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python312-Django6-6.0.2-1.1.x86_64",
"product": {
"name": "python312-Django6-6.0.2-1.1.x86_64",
"product_id": "python312-Django6-6.0.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-Django6-6.0.2-1.1.x86_64",
"product": {
"name": "python313-Django6-6.0.2-1.1.x86_64",
"product_id": "python313-Django6-6.0.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django6-6.0.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64"
},
"product_reference": "python312-Django6-6.0.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django6-6.0.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le"
},
"product_reference": "python312-Django6-6.0.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django6-6.0.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x"
},
"product_reference": "python312-Django6-6.0.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django6-6.0.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64"
},
"product_reference": "python312-Django6-6.0.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django6-6.0.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64"
},
"product_reference": "python313-Django6-6.0.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django6-6.0.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le"
},
"product_reference": "python313-Django6-6.0.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django6-6.0.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x"
},
"product_reference": "python313-Django6-6.0.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django6-6.0.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
},
"product_reference": "python313-Django6-6.0.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13473",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13473"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13473",
"url": "https://www.suse.com/security/cve/CVE-2025-13473"
},
{
"category": "external",
"summary": "SUSE Bug 1257401 for CVE-2025-13473",
"url": "https://bugzilla.suse.com/1257401"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-04T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-13473"
},
{
"cve": "CVE-2025-14550",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-14550"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Jiyong Yang for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-14550",
"url": "https://www.suse.com/security/cve/CVE-2025-14550"
},
{
"category": "external",
"summary": "SUSE Bug 1257403 for CVE-2025-14550",
"url": "https://bugzilla.suse.com/1257403"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-04T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-14550"
},
{
"cve": "CVE-2026-1207",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1207"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1207",
"url": "https://www.suse.com/security/cve/CVE-2026-1207"
},
{
"category": "external",
"summary": "SUSE Bug 1257405 for CVE-2026-1207",
"url": "https://bugzilla.suse.com/1257405"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-04T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1207"
},
{
"cve": "CVE-2026-1285",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1285"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1285",
"url": "https://www.suse.com/security/cve/CVE-2026-1285"
},
{
"category": "external",
"summary": "SUSE Bug 1257406 for CVE-2026-1285",
"url": "https://bugzilla.suse.com/1257406"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-04T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1285"
},
{
"cve": "CVE-2026-1287",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1287"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1287",
"url": "https://www.suse.com/security/cve/CVE-2026-1287"
},
{
"category": "external",
"summary": "SUSE Bug 1257407 for CVE-2026-1287",
"url": "https://bugzilla.suse.com/1257407"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-04T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1287"
},
{
"cve": "CVE-2026-1312",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1312"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1312",
"url": "https://www.suse.com/security/cve/CVE-2026-1312"
},
{
"category": "external",
"summary": "SUSE Bug 1257408 for CVE-2026-1312",
"url": "https://bugzilla.suse.com/1257408"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-04T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1312"
}
]
}
OPENSUSE-SU-2026:10160-1
Vulnerability from csaf_opensuse - Published: 2026-02-06 00:00 - Updated: 2026-02-06 00:00Summary
python311-Django-5.2.11-1.1 on GA media
Notes
Title of the patch
python311-Django-5.2.11-1.1 on GA media
Description of the patch
These are all security issues fixed in the python311-Django-5.2.11-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10160
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-Django-5.2.11-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-Django-5.2.11-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10160",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10160-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13473 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13473/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-14550 page",
"url": "https://www.suse.com/security/cve/CVE-2025-14550/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1207 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1207/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1285 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1285/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1287 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1287/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1312 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1312/"
}
],
"title": "python311-Django-5.2.11-1.1 on GA media",
"tracking": {
"current_release_date": "2026-02-06T00:00:00Z",
"generator": {
"date": "2026-02-06T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10160-1",
"initial_release_date": "2026-02-06T00:00:00Z",
"revision_history": [
{
"date": "2026-02-06T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-Django-5.2.11-1.1.aarch64",
"product": {
"name": "python311-Django-5.2.11-1.1.aarch64",
"product_id": "python311-Django-5.2.11-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-Django-5.2.11-1.1.aarch64",
"product": {
"name": "python312-Django-5.2.11-1.1.aarch64",
"product_id": "python312-Django-5.2.11-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-Django-5.2.11-1.1.aarch64",
"product": {
"name": "python313-Django-5.2.11-1.1.aarch64",
"product_id": "python313-Django-5.2.11-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-Django-5.2.11-1.1.ppc64le",
"product": {
"name": "python311-Django-5.2.11-1.1.ppc64le",
"product_id": "python311-Django-5.2.11-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-Django-5.2.11-1.1.ppc64le",
"product": {
"name": "python312-Django-5.2.11-1.1.ppc64le",
"product_id": "python312-Django-5.2.11-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-Django-5.2.11-1.1.ppc64le",
"product": {
"name": "python313-Django-5.2.11-1.1.ppc64le",
"product_id": "python313-Django-5.2.11-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-Django-5.2.11-1.1.s390x",
"product": {
"name": "python311-Django-5.2.11-1.1.s390x",
"product_id": "python311-Django-5.2.11-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-Django-5.2.11-1.1.s390x",
"product": {
"name": "python312-Django-5.2.11-1.1.s390x",
"product_id": "python312-Django-5.2.11-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-Django-5.2.11-1.1.s390x",
"product": {
"name": "python313-Django-5.2.11-1.1.s390x",
"product_id": "python313-Django-5.2.11-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-Django-5.2.11-1.1.x86_64",
"product": {
"name": "python311-Django-5.2.11-1.1.x86_64",
"product_id": "python311-Django-5.2.11-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-Django-5.2.11-1.1.x86_64",
"product": {
"name": "python312-Django-5.2.11-1.1.x86_64",
"product_id": "python312-Django-5.2.11-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-Django-5.2.11-1.1.x86_64",
"product": {
"name": "python313-Django-5.2.11-1.1.x86_64",
"product_id": "python313-Django-5.2.11-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django-5.2.11-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64"
},
"product_reference": "python311-Django-5.2.11-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django-5.2.11-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le"
},
"product_reference": "python311-Django-5.2.11-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django-5.2.11-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x"
},
"product_reference": "python311-Django-5.2.11-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django-5.2.11-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64"
},
"product_reference": "python311-Django-5.2.11-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django-5.2.11-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64"
},
"product_reference": "python312-Django-5.2.11-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django-5.2.11-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le"
},
"product_reference": "python312-Django-5.2.11-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django-5.2.11-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x"
},
"product_reference": "python312-Django-5.2.11-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django-5.2.11-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64"
},
"product_reference": "python312-Django-5.2.11-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django-5.2.11-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64"
},
"product_reference": "python313-Django-5.2.11-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django-5.2.11-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le"
},
"product_reference": "python313-Django-5.2.11-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django-5.2.11-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x"
},
"product_reference": "python313-Django-5.2.11-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django-5.2.11-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
},
"product_reference": "python313-Django-5.2.11-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13473",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13473"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13473",
"url": "https://www.suse.com/security/cve/CVE-2025-13473"
},
{
"category": "external",
"summary": "SUSE Bug 1257401 for CVE-2025-13473",
"url": "https://bugzilla.suse.com/1257401"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-13473"
},
{
"cve": "CVE-2025-14550",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-14550"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Jiyong Yang for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-14550",
"url": "https://www.suse.com/security/cve/CVE-2025-14550"
},
{
"category": "external",
"summary": "SUSE Bug 1257403 for CVE-2025-14550",
"url": "https://bugzilla.suse.com/1257403"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-14550"
},
{
"cve": "CVE-2026-1207",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1207"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1207",
"url": "https://www.suse.com/security/cve/CVE-2026-1207"
},
{
"category": "external",
"summary": "SUSE Bug 1257405 for CVE-2026-1207",
"url": "https://bugzilla.suse.com/1257405"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1207"
},
{
"cve": "CVE-2026-1285",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1285"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1285",
"url": "https://www.suse.com/security/cve/CVE-2026-1285"
},
{
"category": "external",
"summary": "SUSE Bug 1257406 for CVE-2026-1285",
"url": "https://bugzilla.suse.com/1257406"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1285"
},
{
"cve": "CVE-2026-1287",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1287"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1287",
"url": "https://www.suse.com/security/cve/CVE-2026-1287"
},
{
"category": "external",
"summary": "SUSE Bug 1257407 for CVE-2026-1287",
"url": "https://bugzilla.suse.com/1257407"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1287"
},
{
"cve": "CVE-2026-1312",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1312"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1312",
"url": "https://www.suse.com/security/cve/CVE-2026-1312"
},
{
"category": "external",
"summary": "SUSE Bug 1257408 for CVE-2026-1312",
"url": "https://bugzilla.suse.com/1257408"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python311-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python312-Django-5.2.11-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.s390x",
"openSUSE Tumbleweed:python313-Django-5.2.11-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-06T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-1312"
}
]
}
bit-django-2025-13473
Vulnerability from bitnami_vulndb
Published
2026-02-05 08:38
Modified
2026-02-05 09:10
Summary
Username enumeration through timing difference in mod_wsgi authentication handler
Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allows remote attackers to enumerate users via a timing attack.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "django",
"purl": "pkg:bitnami/django"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.28"
},
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.11"
},
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.2"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2025-13473"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.",
"id": "BIT-django-2025-13473",
"modified": "2026-02-05T09:10:30.960Z",
"published": "2026-02-05T08:38:16.508Z",
"references": [
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/django-announce"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13473"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
}
],
"schema_version": "1.6.2",
"summary": "Username enumeration through timing difference in mod_wsgi authentication handler"
}
GHSA-2MCM-79HX-8FXW
Vulnerability from github – Published: 2026-02-03 15:30 – Updated: 2026-02-03 19:22
VLAI?
Summary
Django has Observable Timing Discrepancy
Details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "6.0a1"
},
{
"fixed": "6.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "5.2a1"
},
{
"fixed": "5.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.2a1"
},
{
"fixed": "4.2.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13473"
],
"database_specific": {
"cwe_ids": [
"CWE-208"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-03T19:22:54Z",
"nvd_published_at": "2026-02-03T15:16:11Z",
"severity": "LOW"
},
"details": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n\nThe `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\n\nDjango would like to thank Stackered for reporting this issue.",
"id": "GHSA-2mcm-79hx-8fxw",
"modified": "2026-02-03T19:22:54Z",
"published": "2026-02-03T15:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13473"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/dev/releases/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/django-announce"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Django has Observable Timing Discrepancy"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…