Vulnerabilities > Djangoproject > Django > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-05-07 CVE-2023-31047 Improper Input Validation vulnerability in multiple products
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files.
network
low complexity
djangoproject fedoraproject CWE-20
critical
 9.8
9.8
2022-07-04 CVE-2022-34265 SQL Injection vulnerability in Djangoproject Django
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6.
network
low complexity
djangoproject CWE-89
critical
 9.8
9.8
2022-04-12 CVE-2022-28347 SQL Injection vulnerability in multiple products
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
network
low complexity
djangoproject debian CWE-89
critical
 9.8
9.8
2022-04-12 CVE-2022-28346 SQL Injection vulnerability in multiple products
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
network
low complexity
djangoproject debian CWE-89
critical
 9.8
9.8
2021-07-02 CVE-2021-35042 SQL Injection vulnerability in multiple products
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
network
low complexity
djangoproject fedoraproject CWE-89
critical
 9.8
9.8
2020-02-03 CVE-2020-7471 SQL Injection vulnerability in Djangoproject Django
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter).
network
low complexity
djangoproject CWE-89
critical
 9.8
9.8
2019-12-18 CVE-2019-19844 Weak Password Recovery Mechanism for Forgotten Password vulnerability in multiple products
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover.
network
low complexity
djangoproject canonical CWE-640
critical
 9.8
9.8
2019-08-09 CVE-2019-14234 SQL Injection vulnerability in multiple products
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4.
network
low complexity
djangoproject fedoraproject debian CWE-89
critical
 9.8
9.8
2016-12-09 CVE-2016-9013 Use of Hard-coded Credentials vulnerability in multiple products
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
network
low complexity
djangoproject canonical fedoraproject CWE-798
critical
 9.8
9.8
2014-04-23 CVE-2014-0474 Resource Management Errors vulnerability in multiple products
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
network
low complexity
canonical djangoproject CWE-399
critical
 10.0
10