Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by django-unicorn
CVE-2026-31815 (GCVE-0-2026-31815)
Vulnerability from cvelistv5 – Published: 2026-03-10 21:07 – Updated: 2026-03-11 14:18
VLAI
Title
django-unicorn affected by component state manipulation via unvalidated attribute access
Summary
Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/django-commons/django-unicorn/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| django-commons | django-unicorn |
Affected:
< 0.67.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31815",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T14:17:42.872101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T14:18:26.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "django-unicorn",
"vendor": "django-commons",
"versions": [
{
"status": "affected",
"version": "\u003c 0.67.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T21:07:08.198Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367"
}
],
"source": {
"advisory": "GHSA-ffv6-jj46-x367",
"discovery": "UNKNOWN"
},
"title": "django-unicorn affected by component state manipulation via unvalidated attribute access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31815",
"datePublished": "2026-03-10T21:07:08.198Z",
"dateReserved": "2026-03-09T16:33:42.914Z",
"dateUpdated": "2026-03-11T14:18:26.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-42134 (GCVE-0-2021-42134)
Vulnerability from cvelistv5 – Published: 2021-10-11 00:55 – Updated: 2024-08-04 03:30
VLAI
Summary
The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/adamghill/django-unicorn/commi… | x_refsource_MISC |
| https://github.com/adamghill/django-unicorn/compa… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:36.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adamghill/django-unicorn/commit/3a832a9e3f6455ddd3b87f646247269918ad10c6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adamghill/django-unicorn/compare/0.36.0...0.36.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-11T00:55:43.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adamghill/django-unicorn/commit/3a832a9e3f6455ddd3b87f646247269918ad10c6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adamghill/django-unicorn/compare/0.36.0...0.36.1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42134",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/adamghill/django-unicorn/commit/3a832a9e3f6455ddd3b87f646247269918ad10c6",
"refsource": "MISC",
"url": "https://github.com/adamghill/django-unicorn/commit/3a832a9e3f6455ddd3b87f646247269918ad10c6"
},
{
"name": "https://github.com/adamghill/django-unicorn/compare/0.36.0...0.36.1",
"refsource": "MISC",
"url": "https://github.com/adamghill/django-unicorn/compare/0.36.0...0.36.1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42134",
"datePublished": "2021-10-11T00:55:43.000Z",
"dateReserved": "2021-10-11T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:30:36.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42053 (GCVE-0-2021-42053)
Vulnerability from cvelistv5 – Published: 2021-10-07 05:21 – Updated: 2024-08-04 03:22
VLAI
Summary
The Unicorn framework through 0.35.3 for Django allows XSS via component.name.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/adamghill/django-unicorn/pull/… | x_refsource_MISC |
| http://packetstormsecurity.com/files/164442/djang… | x_refsource_MISC |
| https://github.com/adamghill/django-unicorn/compa… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:22:25.948Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adamghill/django-unicorn/pull/288/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/164442/django-unicorn-0.35.3-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adamghill/django-unicorn/compare/0.35.3...0.36.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Unicorn framework through 0.35.3 for Django allows XSS via component.name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-11T00:54:49.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adamghill/django-unicorn/pull/288/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/164442/django-unicorn-0.35.3-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adamghill/django-unicorn/compare/0.35.3...0.36.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42053",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Unicorn framework through 0.35.3 for Django allows XSS via component.name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/adamghill/django-unicorn/pull/288/files",
"refsource": "MISC",
"url": "https://github.com/adamghill/django-unicorn/pull/288/files"
},
{
"name": "http://packetstormsecurity.com/files/164442/django-unicorn-0.35.3-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/164442/django-unicorn-0.35.3-Cross-Site-Scripting.html"
},
{
"name": "https://github.com/adamghill/django-unicorn/compare/0.35.3...0.36.0",
"refsource": "MISC",
"url": "https://github.com/adamghill/django-unicorn/compare/0.35.3...0.36.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42053",
"datePublished": "2021-10-07T05:21:05.000Z",
"dateReserved": "2021-10-07T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:22:25.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}