{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"python-django security update", "category":"general", "title":"Synopsis" }, { "text":"An update for python-django is now available for openEuler-24.03-LTS", "category":"general", "title":"Summary" }, { "text":"A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\n\nSecurity Fix(es):\n\nAn issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` is vulnerable to a timing attack, allowing remote attackers to enumerate valid usernames. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. This issue has been rated with a severity of \"low\" according to the Django security policy.(CVE-2025-13473)\n\nAn issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. ASGIRequest allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.(CVE-2025-14550)\n\nAn issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-1207)\n\nAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.(CVE-2026-1285)\n\nA SQL injection vulnerability exists in the FilteredRelation component of the Django framework. An attacker can execute arbitrary SQL commands by manipulating column aliases through a specially crafted dictionary containing control characters, passed via dictionary expansion as the **kwargs argument to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This could lead to unauthorized database access, sensitive data disclosure, or data tampering. Affected versions include Django 6.0 series (from 6.0a1 up to, but not including, 6.0.2), 5.2 series (from 5.2a1 up to, but not including, 5.2.11), and 4.2 series (from 4.2a1 up to, but not including, 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.(CVE-2026-1287)\n\nAn SQL injection vulnerability exists in the Django framework when the QuerySet.order_by() method processes column aliases containing periods, and the same alias is reused in FilteredRelation via a specially crafted dictionary using dictionary expansion. An attacker could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized information disclosure or arbitrary code execution within the database. This vulnerability affects Django 6.0 (before version 6.0.2), Django 5.2 (before version 5.2.11), and Django 4.2 (before version 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.(CVE-2026-1312)", "category":"general", "title":"Description" }, { "text":"An update for python-django is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"python-django", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2026-1307", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1307" }, { "summary":"CVE-2025-13473", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-13473&packageName=python-django" }, { "summary":"CVE-2025-14550", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-14550&packageName=python-django" }, { "summary":"CVE-2026-1207", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1207&packageName=python-django" }, { "summary":"CVE-2026-1285", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1285&packageName=python-django" }, { "summary":"CVE-2026-1287", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1287&packageName=python-django" }, { "summary":"CVE-2026-1312", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1312&packageName=python-django" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13473" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14550" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1207" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1285" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1287" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1312" }, { "summary":"openEuler-SA-2026-1307 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-1307.json" } ], "title":"An update for python-django is now available for openEuler-24.03-LTS", "tracking":{ "initial_release_date":"2026-02-10T14:30:08+08:00", "revision_history":[ { "date":"2026-02-10T14:30:08+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-02-10T14:30:08+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-02-10T14:30:08+08:00", "id":"openEuler-SA-2026-1307", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python-django-help-4.2.15-12.oe2403.noarch.rpm", "name":"python-django-help-4.2.15-12.oe2403.noarch.rpm" }, "name":"python-django-help-4.2.15-12.oe2403.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python3-Django-4.2.15-12.oe2403.noarch.rpm", "name":"python3-Django-4.2.15-12.oe2403.noarch.rpm" }, "name":"python3-Django-4.2.15-12.oe2403.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python-django-4.2.15-12.oe2403.src.rpm", "name":"python-django-4.2.15-12.oe2403.src.rpm" }, "name":"python-django-4.2.15-12.oe2403.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python-django-help-4.2.15-12.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "name":"python-django-help-4.2.15-12.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python3-Django-4.2.15-12.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "name":"python3-Django-4.2.15-12.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python-django-4.2.15-12.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src", "name":"python-django-4.2.15-12.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-13473", "notes":[ { "text":"An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` is vulnerable to a timing attack, allowing remote attackers to enumerate valid usernames. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. This issue has been rated with a severity of \"low\" according to the Django security policy.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ], "details":"python-django security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1307" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-13473" }, { "cve":"CVE-2025-14550", "notes":[ { "text":"An issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. ASGIRequest allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ], "details":"python-django security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1307" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2025-14550" }, { "cve":"CVE-2026-1207", "notes":[ { "text":"An issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ], "details":"python-django security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1307" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.4, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-1207" }, { "cve":"CVE-2026-1285", "notes":[ { "text":"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ], "details":"python-django security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1307" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2026-1285" }, { "cve":"CVE-2026-1287", "notes":[ { "text":"A SQL injection vulnerability exists in the FilteredRelation component of the Django framework. An attacker can execute arbitrary SQL commands by manipulating column aliases through a specially crafted dictionary containing control characters, passed via dictionary expansion as the **kwargs argument to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This could lead to unauthorized database access, sensitive data disclosure, or data tampering. Affected versions include Django 6.0 series (from 6.0a1 up to, but not including, 6.0.2), 5.2 series (from 5.2a1 up to, but not including, 5.2.11), and 4.2 series (from 4.2a1 up to, but not including, 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ], "details":"python-django security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1307" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.4, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-1287" }, { "cve":"CVE-2026-1312", "notes":[ { "text":"An SQL injection vulnerability exists in the Django framework when the QuerySet.order_by() method processes column aliases containing periods, and the same alias is reused in FilteredRelation via a specially crafted dictionary using dictionary expansion. An attacker could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized information disclosure or arbitrary code execution within the database. This vulnerability affects Django 6.0 (before version 6.0.2), Django 5.2 (before version 5.2.11), and Django 4.2 (before version 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ], "details":"python-django security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1307" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.4, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:python-django-help-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python3-Django-4.2.15-12.oe2403.noarch", "openEuler-24.03-LTS:python-django-4.2.15-12.oe2403.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-1312" } ] }