Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-64460 (GCVE-0-2025-64460)
Vulnerability from cvelistv5 – Published: 2025-12-02 15:15 – Updated: 2025-12-02 21:54
VLAI?
EPSS
Title
Potential denial-of-service vulnerability in XML serializer text extraction
Summary
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Severity ?
No CVSS data available.
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
5.2 , < 5.2.9
(semver)
Unaffected: 5.2.9 (semver) Affected: 5.1 , < 5.1.15 (semver) Unaffected: 5.1.15 (semver) Affected: 4.2 , < 4.2.27 (semver) Unaffected: 4.2.27 (semver) |
Credits
Seokchan Yoon
Shai Berger
Natalia Bidart
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-64460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T21:53:53.299074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T21:54:23.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.2.9",
"status": "affected",
"version": "5.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.2.9",
"versionType": "semver"
},
{
"lessThan": "5.1.15",
"status": "affected",
"version": "5.1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.1.15",
"versionType": "semver"
},
{
"lessThan": "4.2.27",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.27",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Seokchan Yoon"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Shai Berger"
},
{
"lang": "en",
"type": "coordinator",
"value": "Natalia Bidart"
}
],
"datePublic": "2025-12-02T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\u003c/p\u003e\u003cp\u003eAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130: Excessive Allocation"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "moderate"
},
"type": "Django severity rating"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T15:15:34.451Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 5.2.9, 5.1.15, and 4.2.27",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-03T00:00:00+00:00",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2025-10-03T00:00:00+00:00",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2025-12-02T14:00:00+00:00",
"value": "Security release issued."
}
],
"title": "Potential denial-of-service vulnerability in XML serializer text extraction",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2025-64460",
"datePublished": "2025-12-02T15:15:34.451Z",
"dateReserved": "2025-11-04T14:35:57.527Z",
"dateUpdated": "2025-12-02T21:54:23.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-64460\",\"sourceIdentifier\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"published\":\"2025-12-02T16:15:56.013\",\"lastModified\":\"2025-12-10T21:47:14.340\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\\nDjango would like to thank Seokchan Yoon for reporting this issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-407\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2\",\"versionEndExcluding\":\"4.2.27\",\"matchCriteriaId\":\"5208B938-135B-4682-9340-C15B7329ABA6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1\",\"versionEndExcluding\":\"5.1.15\",\"matchCriteriaId\":\"37B0F07E-F8EA-4DFF-8ED9-C60A79A9ED24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.2\",\"versionEndExcluding\":\"5.2.9\",\"matchCriteriaId\":\"C523418D-ACB5-4E97-9D05-6879B0F48344\"}]}]}],\"references\":[{\"url\":\"https://docs.djangoproject.com/en/dev/releases/security/\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://groups.google.com/g/django-announce\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64460\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-02T21:53:53.299074Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-02T21:54:17.844Z\"}}], \"cna\": {\"title\": \"Potential denial-of-service vulnerability in XML serializer text extraction\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Seokchan Yoon\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Shai Berger\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"Natalia Bidart\"}], \"impacts\": [{\"capecId\": \"CAPEC-130\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-130: Excessive Allocation\"}]}], \"metrics\": [{\"other\": {\"type\": \"Django severity rating\", \"content\": {\"value\": \"moderate\", \"namespace\": \"https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels\"}}}], \"affected\": [{\"repo\": \"https://github.com/django/django/\", \"vendor\": \"djangoproject\", \"product\": \"Django\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.2\", \"lessThan\": \"5.2.9\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.2.9\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.1\", \"lessThan\": \"5.1.15\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.1.15\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.2\", \"lessThan\": \"4.2.27\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.2.27\", \"versionType\": \"semver\"}], \"packageName\": \"django\", \"collectionURL\": \"https://pypi.org/project/Django/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-10-03T00:00:00+00:00\", \"value\": \"Initial report received.\"}, {\"lang\": \"en\", \"time\": \"2025-10-03T00:00:00+00:00\", \"value\": \"Vulnerability confirmed.\"}, {\"lang\": \"en\", \"time\": \"2025-12-02T14:00:00+00:00\", \"value\": \"Security release issued.\"}], \"datePublic\": \"2025-12-02T14:00:00.000Z\", \"references\": [{\"url\": \"https://docs.djangoproject.com/en/dev/releases/security/\", \"name\": \"Django security archive\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://groups.google.com/g/django-announce\", \"name\": \"Django releases announcements\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://www.djangoproject.com/weblog/2025/dec/02/security-releases/\", \"name\": \"Django security releases issued: 5.2.9, 5.1.15, and 4.2.27\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\\nDjango would like to thank Seokchan Yoon for reporting this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAn issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\u003c/p\u003e\u003cp\u003eAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-407\", \"description\": \"CWE-407: Inefficient Algorithmic Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"shortName\": \"DSF\", \"dateUpdated\": \"2025-12-02T15:15:34.451Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-64460\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-02T21:54:23.307Z\", \"dateReserved\": \"2025-11-04T14:35:57.527Z\", \"assignerOrgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"datePublished\": \"2025-12-02T15:15:34.451Z\", \"assignerShortName\": \"DSF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-VRCR-9HJ9-JCG6
Vulnerability from github – Published: 2025-12-02 18:30 – Updated: 2025-12-03 16:59
VLAI?
Summary
Django is vulnerable to DoS via XML serializer text extraction
Details
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in django.core.serializers.xml_serializer.getInnerText() allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML Deserializer.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "5.2a1"
},
{
"fixed": "5.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "5.1a1"
},
{
"fixed": "5.1.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.2a1"
},
{
"fixed": "4.2.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64460"
],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-03T16:59:02Z",
"nvd_published_at": "2025-12-02T16:15:56Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
"id": "GHSA-vrcr-9hj9-jcg6",
"modified": "2025-12-03T16:59:02Z",
"published": "2025-12-02T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64460"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/0db9ea4669312f1f4973e09f4bca06ab9c1ec74b"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/1dbd07a608e495a0c229edaaf84d58d8976313b5"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/4d2b8803bebcdefd2b76e9e8fc528d5fddea93f0"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/99e7d22f55497278d0bcb2e15e72ef532e62a31d"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/dev/releases/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/django-announce"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django is vulnerable to DoS via XML serializer text extraction"
}
OPENSUSE-SU-2026:10005-1
Vulnerability from csaf_opensuse - Published: 2026-01-03 00:00 - Updated: 2026-01-03 00:00Summary
python312-Django6-6.0-1.1 on GA media
Notes
Title of the patch
python312-Django6-6.0-1.1 on GA media
Description of the patch
These are all security issues fixed in the python312-Django6-6.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10005
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python312-Django6-6.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python312-Django6-6.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10005",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10005-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-3982 page",
"url": "https://www.suse.com/security/cve/CVE-2015-3982/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5145 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5145/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5963 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5963/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-7401 page",
"url": "https://www.suse.com/security/cve/CVE-2016-7401/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-12794 page",
"url": "https://www.suse.com/security/cve/CVE-2017-12794/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-7233 page",
"url": "https://www.suse.com/security/cve/CVE-2017-7233/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-7234 page",
"url": "https://www.suse.com/security/cve/CVE-2017-7234/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16984 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16984/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-6188 page",
"url": "https://www.suse.com/security/cve/CVE-2018-6188/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7536 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7536/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7537 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7537/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-11358 page",
"url": "https://www.suse.com/security/cve/CVE-2019-11358/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-12308 page",
"url": "https://www.suse.com/security/cve/CVE-2019-12308/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-12781 page",
"url": "https://www.suse.com/security/cve/CVE-2019-12781/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-14232 page",
"url": "https://www.suse.com/security/cve/CVE-2019-14232/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-19118 page",
"url": "https://www.suse.com/security/cve/CVE-2019-19118/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-19844 page",
"url": "https://www.suse.com/security/cve/CVE-2019-19844/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-3498 page",
"url": "https://www.suse.com/security/cve/CVE-2019-3498/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-6975 page",
"url": "https://www.suse.com/security/cve/CVE-2019-6975/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-13254 page",
"url": "https://www.suse.com/security/cve/CVE-2020-13254/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-13596 page",
"url": "https://www.suse.com/security/cve/CVE-2020-13596/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-24583 page",
"url": "https://www.suse.com/security/cve/CVE-2020-24583/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-24584 page",
"url": "https://www.suse.com/security/cve/CVE-2020-24584/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-7471 page",
"url": "https://www.suse.com/security/cve/CVE-2020-7471/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-9402 page",
"url": "https://www.suse.com/security/cve/CVE-2020-9402/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-31542 page",
"url": "https://www.suse.com/security/cve/CVE-2021-31542/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32052 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32052/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-33203 page",
"url": "https://www.suse.com/security/cve/CVE-2021-33203/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-33571 page",
"url": "https://www.suse.com/security/cve/CVE-2021-33571/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-35042 page",
"url": "https://www.suse.com/security/cve/CVE-2021-35042/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-45115 page",
"url": "https://www.suse.com/security/cve/CVE-2021-45115/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-45452 page",
"url": "https://www.suse.com/security/cve/CVE-2021-45452/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-22818 page",
"url": "https://www.suse.com/security/cve/CVE-2022-22818/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23833 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23833/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-28346 page",
"url": "https://www.suse.com/security/cve/CVE-2022-28346/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-28347 page",
"url": "https://www.suse.com/security/cve/CVE-2022-28347/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-34265 page",
"url": "https://www.suse.com/security/cve/CVE-2022-34265/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36359 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36359/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41323 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41323/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-23969 page",
"url": "https://www.suse.com/security/cve/CVE-2023-23969/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-24580 page",
"url": "https://www.suse.com/security/cve/CVE-2023-24580/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-31047 page",
"url": "https://www.suse.com/security/cve/CVE-2023-31047/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-36053 page",
"url": "https://www.suse.com/security/cve/CVE-2023-36053/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-41164 page",
"url": "https://www.suse.com/security/cve/CVE-2023-41164/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-43665 page",
"url": "https://www.suse.com/security/cve/CVE-2023-43665/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-24680 page",
"url": "https://www.suse.com/security/cve/CVE-2024-24680/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-27351 page",
"url": "https://www.suse.com/security/cve/CVE-2024-27351/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-38875 page",
"url": "https://www.suse.com/security/cve/CVE-2024-38875/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-39329 page",
"url": "https://www.suse.com/security/cve/CVE-2024-39329/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-39330 page",
"url": "https://www.suse.com/security/cve/CVE-2024-39330/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-39614 page",
"url": "https://www.suse.com/security/cve/CVE-2024-39614/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-41989 page",
"url": "https://www.suse.com/security/cve/CVE-2024-41989/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-41990 page",
"url": "https://www.suse.com/security/cve/CVE-2024-41990/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-41991 page",
"url": "https://www.suse.com/security/cve/CVE-2024-41991/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-42005 page",
"url": "https://www.suse.com/security/cve/CVE-2024-42005/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45230 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45230/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45231 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45231/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53907 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53907/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53908 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53908/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-56374 page",
"url": "https://www.suse.com/security/cve/CVE-2024-56374/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13372 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13372/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-26699 page",
"url": "https://www.suse.com/security/cve/CVE-2025-26699/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27556 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27556/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-32873 page",
"url": "https://www.suse.com/security/cve/CVE-2025-32873/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48432 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48432/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-57833 page",
"url": "https://www.suse.com/security/cve/CVE-2025-57833/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59681 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59681/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59682 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59682/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64459 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64459/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64460 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64460/"
}
],
"title": "python312-Django6-6.0-1.1 on GA media",
"tracking": {
"current_release_date": "2026-01-03T00:00:00Z",
"generator": {
"date": "2026-01-03T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10005-1",
"initial_release_date": "2026-01-03T00:00:00Z",
"revision_history": [
{
"date": "2026-01-03T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python312-Django6-6.0-1.1.aarch64",
"product": {
"name": "python312-Django6-6.0-1.1.aarch64",
"product_id": "python312-Django6-6.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-Django6-6.0-1.1.aarch64",
"product": {
"name": "python313-Django6-6.0-1.1.aarch64",
"product_id": "python313-Django6-6.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python312-Django6-6.0-1.1.ppc64le",
"product": {
"name": "python312-Django6-6.0-1.1.ppc64le",
"product_id": "python312-Django6-6.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-Django6-6.0-1.1.ppc64le",
"product": {
"name": "python313-Django6-6.0-1.1.ppc64le",
"product_id": "python313-Django6-6.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python312-Django6-6.0-1.1.s390x",
"product": {
"name": "python312-Django6-6.0-1.1.s390x",
"product_id": "python312-Django6-6.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-Django6-6.0-1.1.s390x",
"product": {
"name": "python313-Django6-6.0-1.1.s390x",
"product_id": "python313-Django6-6.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python312-Django6-6.0-1.1.x86_64",
"product": {
"name": "python312-Django6-6.0-1.1.x86_64",
"product_id": "python312-Django6-6.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-Django6-6.0-1.1.x86_64",
"product": {
"name": "python313-Django6-6.0-1.1.x86_64",
"product_id": "python313-Django6-6.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django6-6.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64"
},
"product_reference": "python312-Django6-6.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django6-6.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le"
},
"product_reference": "python312-Django6-6.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django6-6.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x"
},
"product_reference": "python312-Django6-6.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-Django6-6.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64"
},
"product_reference": "python312-Django6-6.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django6-6.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64"
},
"product_reference": "python313-Django6-6.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django6-6.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le"
},
"product_reference": "python313-Django6-6.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django6-6.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x"
},
"product_reference": "python313-Django6-6.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Django6-6.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
},
"product_reference": "python313-Django6-6.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3982",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-3982"
}
],
"notes": [
{
"category": "general",
"text": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-3982",
"url": "https://www.suse.com/security/cve/CVE-2015-3982"
},
{
"category": "external",
"summary": "SUSE Bug 932265 for CVE-2015-3982",
"url": "https://bugzilla.suse.com/932265"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-3982"
},
{
"cve": "CVE-2015-5145",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5145"
}
],
"notes": [
{
"category": "general",
"text": "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5145",
"url": "https://www.suse.com/security/cve/CVE-2015-5145"
},
{
"category": "external",
"summary": "SUSE Bug 937524 for CVE-2015-5145",
"url": "https://bugzilla.suse.com/937524"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2015-5145"
},
{
"cve": "CVE-2015-5963",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5963"
}
],
"notes": [
{
"category": "general",
"text": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5963",
"url": "https://www.suse.com/security/cve/CVE-2015-5963"
},
{
"category": "external",
"summary": "SUSE Bug 941587 for CVE-2015-5963",
"url": "https://bugzilla.suse.com/941587"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-5963"
},
{
"cve": "CVE-2016-7401",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-7401"
}
],
"notes": [
{
"category": "general",
"text": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-7401",
"url": "https://www.suse.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "SUSE Bug 1001374 for CVE-2016-7401",
"url": "https://bugzilla.suse.com/1001374"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2016-7401"
},
{
"cve": "CVE-2017-12794",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-12794"
}
],
"notes": [
{
"category": "general",
"text": "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn\u0027t affect most production sites since you shouldn\u0027t run with \"DEBUG = True\" (which makes this page accessible) in your production settings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-12794",
"url": "https://www.suse.com/security/cve/CVE-2017-12794"
},
{
"category": "external",
"summary": "SUSE Bug 1056284 for CVE-2017-12794",
"url": "https://bugzilla.suse.com/1056284"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2017-12794"
},
{
"cve": "CVE-2017-7233",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-7233"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn\u0027t be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-7233",
"url": "https://www.suse.com/security/cve/CVE-2017-7233"
},
{
"category": "external",
"summary": "SUSE Bug 1031450 for CVE-2017-7233",
"url": "https://bugzilla.suse.com/1031450"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2017-7233"
},
{
"cve": "CVE-2017-7234",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-7234"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-7234",
"url": "https://www.suse.com/security/cve/CVE-2017-7234"
},
{
"category": "external",
"summary": "SUSE Bug 1031451 for CVE-2017-7234",
"url": "https://bugzilla.suse.com/1031451"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2017-7234"
},
{
"cve": "CVE-2018-16984",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16984"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16984",
"url": "https://www.suse.com/security/cve/CVE-2018-16984"
},
{
"category": "external",
"summary": "SUSE Bug 1109621 for CVE-2018-16984",
"url": "https://bugzilla.suse.com/1109621"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-16984"
},
{
"cve": "CVE-2018-6188",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-6188"
}
],
"notes": [
{
"category": "general",
"text": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-6188",
"url": "https://www.suse.com/security/cve/CVE-2018-6188"
},
{
"category": "external",
"summary": "SUSE Bug 1077714 for CVE-2018-6188",
"url": "https://bugzilla.suse.com/1077714"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-6188"
},
{
"cve": "CVE-2018-7536",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7536"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7536",
"url": "https://www.suse.com/security/cve/CVE-2018-7536"
},
{
"category": "external",
"summary": "SUSE Bug 1083304 for CVE-2018-7536",
"url": "https://bugzilla.suse.com/1083304"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-7536"
},
{
"cve": "CVE-2018-7537",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7537"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7537",
"url": "https://www.suse.com/security/cve/CVE-2018-7537"
},
{
"category": "external",
"summary": "SUSE Bug 1083305 for CVE-2018-7537",
"url": "https://bugzilla.suse.com/1083305"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-7537"
},
{
"cve": "CVE-2019-11358",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-11358"
}
],
"notes": [
{
"category": "general",
"text": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-11358",
"url": "https://www.suse.com/security/cve/CVE-2019-11358"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-11358"
},
{
"cve": "CVE-2019-12308",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-12308"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-12308",
"url": "https://www.suse.com/security/cve/CVE-2019-12308"
},
{
"category": "external",
"summary": "SUSE Bug 1136468 for CVE-2019-12308",
"url": "https://bugzilla.suse.com/1136468"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-12308"
},
{
"cve": "CVE-2019-12781",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-12781"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-12781",
"url": "https://www.suse.com/security/cve/CVE-2019-12781"
},
{
"category": "external",
"summary": "SUSE Bug 1124991 for CVE-2019-12781",
"url": "https://bugzilla.suse.com/1124991"
},
{
"category": "external",
"summary": "SUSE Bug 1139945 for CVE-2019-12781",
"url": "https://bugzilla.suse.com/1139945"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-12781"
},
{
"cve": "CVE-2019-14232",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-14232"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-14232",
"url": "https://www.suse.com/security/cve/CVE-2019-14232"
},
{
"category": "external",
"summary": "SUSE Bug 1142880 for CVE-2019-14232",
"url": "https://bugzilla.suse.com/1142880"
},
{
"category": "external",
"summary": "SUSE Bug 1215978 for CVE-2019-14232",
"url": "https://bugzilla.suse.com/1215978"
},
{
"category": "external",
"summary": "SUSE Bug 1220358 for CVE-2019-14232",
"url": "https://bugzilla.suse.com/1220358"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-14232"
},
{
"cve": "CVE-2019-19118",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-19118"
}
],
"notes": [
{
"category": "general",
"text": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model\u0027s save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-19118",
"url": "https://www.suse.com/security/cve/CVE-2019-19118"
},
{
"category": "external",
"summary": "SUSE Bug 1157705 for CVE-2019-19118",
"url": "https://bugzilla.suse.com/1157705"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-19118"
},
{
"cve": "CVE-2019-19844",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-19844"
}
],
"notes": [
{
"category": "general",
"text": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\u0027s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-19844",
"url": "https://www.suse.com/security/cve/CVE-2019-19844"
},
{
"category": "external",
"summary": "SUSE Bug 1159447 for CVE-2019-19844",
"url": "https://bugzilla.suse.com/1159447"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-19844"
},
{
"cve": "CVE-2019-3498",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-3498"
}
],
"notes": [
{
"category": "general",
"text": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-3498",
"url": "https://www.suse.com/security/cve/CVE-2019-3498"
},
{
"category": "external",
"summary": "SUSE Bug 1120932 for CVE-2019-3498",
"url": "https://bugzilla.suse.com/1120932"
},
{
"category": "external",
"summary": "SUSE Bug 1139945 for CVE-2019-3498",
"url": "https://bugzilla.suse.com/1139945"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2019-3498"
},
{
"cve": "CVE-2019-6975",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-6975"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-6975",
"url": "https://www.suse.com/security/cve/CVE-2019-6975"
},
{
"category": "external",
"summary": "SUSE Bug 1124991 for CVE-2019-6975",
"url": "https://bugzilla.suse.com/1124991"
},
{
"category": "external",
"summary": "SUSE Bug 1139945 for CVE-2019-6975",
"url": "https://bugzilla.suse.com/1139945"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-6975"
},
{
"cve": "CVE-2020-13254",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-13254"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-13254",
"url": "https://www.suse.com/security/cve/CVE-2020-13254"
},
{
"category": "external",
"summary": "SUSE Bug 1172166 for CVE-2020-13254",
"url": "https://bugzilla.suse.com/1172166"
},
{
"category": "external",
"summary": "SUSE Bug 1172167 for CVE-2020-13254",
"url": "https://bugzilla.suse.com/1172167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-13254"
},
{
"cve": "CVE-2020-13596",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-13596"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-13596",
"url": "https://www.suse.com/security/cve/CVE-2020-13596"
},
{
"category": "external",
"summary": "SUSE Bug 1172166 for CVE-2020-13596",
"url": "https://bugzilla.suse.com/1172166"
},
{
"category": "external",
"summary": "SUSE Bug 1172167 for CVE-2020-13596",
"url": "https://bugzilla.suse.com/1172167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-13596"
},
{
"cve": "CVE-2020-24583",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-24583"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-24583",
"url": "https://www.suse.com/security/cve/CVE-2020-24583"
},
{
"category": "external",
"summary": "SUSE Bug 1175784 for CVE-2020-24583",
"url": "https://bugzilla.suse.com/1175784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-24583"
},
{
"cve": "CVE-2020-24584",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-24584"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system\u0027s standard umask rather than 0o077.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-24584",
"url": "https://www.suse.com/security/cve/CVE-2020-24584"
},
{
"category": "external",
"summary": "SUSE Bug 1175784 for CVE-2020-24584",
"url": "https://bugzilla.suse.com/1175784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-24584"
},
{
"cve": "CVE-2020-7471",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-7471"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-7471",
"url": "https://www.suse.com/security/cve/CVE-2020-7471"
},
{
"category": "external",
"summary": "SUSE Bug 1161919 for CVE-2020-7471",
"url": "https://bugzilla.suse.com/1161919"
},
{
"category": "external",
"summary": "SUSE Bug 1161920 for CVE-2020-7471",
"url": "https://bugzilla.suse.com/1161920"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-7471"
},
{
"cve": "CVE-2020-9402",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-9402"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-9402",
"url": "https://www.suse.com/security/cve/CVE-2020-9402"
},
{
"category": "external",
"summary": "SUSE Bug 1165022 for CVE-2020-9402",
"url": "https://bugzilla.suse.com/1165022"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-9402"
},
{
"cve": "CVE-2021-31542",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-31542"
}
],
"notes": [
{
"category": "general",
"text": "In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-31542",
"url": "https://www.suse.com/security/cve/CVE-2021-31542"
},
{
"category": "external",
"summary": "SUSE Bug 1185623 for CVE-2021-31542",
"url": "https://bugzilla.suse.com/1185623"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2021-31542"
},
{
"cve": "CVE-2021-32052",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32052"
}
],
"notes": [
{
"category": "general",
"text": "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32052",
"url": "https://www.suse.com/security/cve/CVE-2021-32052"
},
{
"category": "external",
"summary": "SUSE Bug 1185713 for CVE-2021-32052",
"url": "https://bugzilla.suse.com/1185713"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2021-32052"
},
{
"cve": "CVE-2021-33203",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-33203"
}
],
"notes": [
{
"category": "general",
"text": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-33203",
"url": "https://www.suse.com/security/cve/CVE-2021-33203"
},
{
"category": "external",
"summary": "SUSE Bug 1186608 for CVE-2021-33203",
"url": "https://bugzilla.suse.com/1186608"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2021-33203"
},
{
"cve": "CVE-2021-33571",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-33571"
}
],
"notes": [
{
"category": "general",
"text": "In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-33571",
"url": "https://www.suse.com/security/cve/CVE-2021-33571"
},
{
"category": "external",
"summary": "SUSE Bug 1186611 for CVE-2021-33571",
"url": "https://bugzilla.suse.com/1186611"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-33571"
},
{
"cve": "CVE-2021-35042",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-35042"
}
],
"notes": [
{
"category": "general",
"text": "Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-35042",
"url": "https://www.suse.com/security/cve/CVE-2021-35042"
},
{
"category": "external",
"summary": "SUSE Bug 1187785 for CVE-2021-35042",
"url": "https://bugzilla.suse.com/1187785"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2021-35042"
},
{
"cve": "CVE-2021-45115",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-45115"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-45115",
"url": "https://www.suse.com/security/cve/CVE-2021-45115"
},
{
"category": "external",
"summary": "SUSE Bug 1194115 for CVE-2021-45115",
"url": "https://bugzilla.suse.com/1194115"
},
{
"category": "external",
"summary": "SUSE Bug 1194117 for CVE-2021-45115",
"url": "https://bugzilla.suse.com/1194117"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-45115"
},
{
"cve": "CVE-2021-45452",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-45452"
}
],
"notes": [
{
"category": "general",
"text": "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-45452",
"url": "https://www.suse.com/security/cve/CVE-2021-45452"
},
{
"category": "external",
"summary": "SUSE Bug 1194116 for CVE-2021-45452",
"url": "https://bugzilla.suse.com/1194116"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2021-45452"
},
{
"cve": "CVE-2022-22818",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-22818"
}
],
"notes": [
{
"category": "general",
"text": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-22818",
"url": "https://www.suse.com/security/cve/CVE-2022-22818"
},
{
"category": "external",
"summary": "SUSE Bug 1195086 for CVE-2022-22818",
"url": "https://bugzilla.suse.com/1195086"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-22818"
},
{
"cve": "CVE-2022-23833",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23833"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23833",
"url": "https://www.suse.com/security/cve/CVE-2022-23833"
},
{
"category": "external",
"summary": "SUSE Bug 1195088 for CVE-2022-23833",
"url": "https://bugzilla.suse.com/1195088"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-23833"
},
{
"cve": "CVE-2022-28346",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-28346"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-28346",
"url": "https://www.suse.com/security/cve/CVE-2022-28346"
},
{
"category": "external",
"summary": "SUSE Bug 1198398 for CVE-2022-28346",
"url": "https://bugzilla.suse.com/1198398"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-28346"
},
{
"cve": "CVE-2022-28347",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-28347"
}
],
"notes": [
{
"category": "general",
"text": "A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-28347",
"url": "https://www.suse.com/security/cve/CVE-2022-28347"
},
{
"category": "external",
"summary": "SUSE Bug 1198399 for CVE-2022-28347",
"url": "https://bugzilla.suse.com/1198399"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-28347"
},
{
"cve": "CVE-2022-34265",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-34265"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-34265",
"url": "https://www.suse.com/security/cve/CVE-2022-34265"
},
{
"category": "external",
"summary": "SUSE Bug 1201186 for CVE-2022-34265",
"url": "https://bugzilla.suse.com/1201186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-34265"
},
{
"cve": "CVE-2022-36359",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36359"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36359",
"url": "https://www.suse.com/security/cve/CVE-2022-36359"
},
{
"category": "external",
"summary": "SUSE Bug 1201923 for CVE-2022-36359",
"url": "https://bugzilla.suse.com/1201923"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-36359"
},
{
"cve": "CVE-2022-41323",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41323"
}
],
"notes": [
{
"category": "general",
"text": "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41323",
"url": "https://www.suse.com/security/cve/CVE-2022-41323"
},
{
"category": "external",
"summary": "SUSE Bug 1203793 for CVE-2022-41323",
"url": "https://bugzilla.suse.com/1203793"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41323"
},
{
"cve": "CVE-2023-23969",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-23969"
}
],
"notes": [
{
"category": "general",
"text": "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-23969",
"url": "https://www.suse.com/security/cve/CVE-2023-23969"
},
{
"category": "external",
"summary": "SUSE Bug 1207565 for CVE-2023-23969",
"url": "https://bugzilla.suse.com/1207565"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-23969"
},
{
"cve": "CVE-2023-24580",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-24580"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-24580",
"url": "https://www.suse.com/security/cve/CVE-2023-24580"
},
{
"category": "external",
"summary": "SUSE Bug 1208082 for CVE-2023-24580",
"url": "https://bugzilla.suse.com/1208082"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-24580"
},
{
"cve": "CVE-2023-31047",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-31047"
}
],
"notes": [
{
"category": "general",
"text": "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django\u0027s \"Uploading multiple files\" documentation suggested otherwise.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-31047",
"url": "https://www.suse.com/security/cve/CVE-2023-31047"
},
{
"category": "external",
"summary": "SUSE Bug 1210866 for CVE-2023-31047",
"url": "https://bugzilla.suse.com/1210866"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-31047"
},
{
"cve": "CVE-2023-36053",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-36053"
}
],
"notes": [
{
"category": "general",
"text": "In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-36053",
"url": "https://www.suse.com/security/cve/CVE-2023-36053"
},
{
"category": "external",
"summary": "SUSE Bug 1212742 for CVE-2023-36053",
"url": "https://bugzilla.suse.com/1212742"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-36053"
},
{
"cve": "CVE-2023-41164",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-41164"
}
],
"notes": [
{
"category": "general",
"text": "In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-41164",
"url": "https://www.suse.com/security/cve/CVE-2023-41164"
},
{
"category": "external",
"summary": "SUSE Bug 1214667 for CVE-2023-41164",
"url": "https://bugzilla.suse.com/1214667"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-41164"
},
{
"cve": "CVE-2023-43665",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-43665"
}
],
"notes": [
{
"category": "general",
"text": "In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-43665",
"url": "https://www.suse.com/security/cve/CVE-2023-43665"
},
{
"category": "external",
"summary": "SUSE Bug 1215978 for CVE-2023-43665",
"url": "https://bugzilla.suse.com/1215978"
},
{
"category": "external",
"summary": "SUSE Bug 1220358 for CVE-2023-43665",
"url": "https://bugzilla.suse.com/1220358"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-43665"
},
{
"cve": "CVE-2024-24680",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-24680"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-24680",
"url": "https://www.suse.com/security/cve/CVE-2024-24680"
},
{
"category": "external",
"summary": "SUSE Bug 1219683 for CVE-2024-24680",
"url": "https://bugzilla.suse.com/1219683"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-24680"
},
{
"cve": "CVE-2024-27351",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-27351"
}
],
"notes": [
{
"category": "general",
"text": "In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-27351",
"url": "https://www.suse.com/security/cve/CVE-2024-27351"
},
{
"category": "external",
"summary": "SUSE Bug 1220358 for CVE-2024-27351",
"url": "https://bugzilla.suse.com/1220358"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-27351"
},
{
"cve": "CVE-2024-38875",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-38875"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-38875",
"url": "https://www.suse.com/security/cve/CVE-2024-38875"
},
{
"category": "external",
"summary": "SUSE Bug 1227590 for CVE-2024-38875",
"url": "https://bugzilla.suse.com/1227590"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-38875"
},
{
"cve": "CVE-2024-39329",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-39329"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-39329",
"url": "https://www.suse.com/security/cve/CVE-2024-39329"
},
{
"category": "external",
"summary": "SUSE Bug 1227590 for CVE-2024-39329",
"url": "https://bugzilla.suse.com/1227590"
},
{
"category": "external",
"summary": "SUSE Bug 1227593 for CVE-2024-39329",
"url": "https://bugzilla.suse.com/1227593"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-39329"
},
{
"cve": "CVE-2024-39330",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-39330"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-39330",
"url": "https://www.suse.com/security/cve/CVE-2024-39330"
},
{
"category": "external",
"summary": "SUSE Bug 1227590 for CVE-2024-39330",
"url": "https://bugzilla.suse.com/1227590"
},
{
"category": "external",
"summary": "SUSE Bug 1227594 for CVE-2024-39330",
"url": "https://bugzilla.suse.com/1227594"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-39330"
},
{
"cve": "CVE-2024-39614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-39614"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-39614",
"url": "https://www.suse.com/security/cve/CVE-2024-39614"
},
{
"category": "external",
"summary": "SUSE Bug 1227590 for CVE-2024-39614",
"url": "https://bugzilla.suse.com/1227590"
},
{
"category": "external",
"summary": "SUSE Bug 1227595 for CVE-2024-39614",
"url": "https://bugzilla.suse.com/1227595"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-39614"
},
{
"cve": "CVE-2024-41989",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-41989"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-41989",
"url": "https://www.suse.com/security/cve/CVE-2024-41989"
},
{
"category": "external",
"summary": "SUSE Bug 1228629 for CVE-2024-41989",
"url": "https://bugzilla.suse.com/1228629"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-41989"
},
{
"cve": "CVE-2024-41990",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-41990"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-41990",
"url": "https://www.suse.com/security/cve/CVE-2024-41990"
},
{
"category": "external",
"summary": "SUSE Bug 1228630 for CVE-2024-41990",
"url": "https://bugzilla.suse.com/1228630"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-41990"
},
{
"cve": "CVE-2024-41991",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-41991"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-41991",
"url": "https://www.suse.com/security/cve/CVE-2024-41991"
},
{
"category": "external",
"summary": "SUSE Bug 1228631 for CVE-2024-41991",
"url": "https://bugzilla.suse.com/1228631"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-41991"
},
{
"cve": "CVE-2024-42005",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-42005"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-42005",
"url": "https://www.suse.com/security/cve/CVE-2024-42005"
},
{
"category": "external",
"summary": "SUSE Bug 1228632 for CVE-2024-42005",
"url": "https://bugzilla.suse.com/1228632"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-42005"
},
{
"cve": "CVE-2024-45230",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45230"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45230",
"url": "https://www.suse.com/security/cve/CVE-2024-45230"
},
{
"category": "external",
"summary": "SUSE Bug 1229823 for CVE-2024-45230",
"url": "https://bugzilla.suse.com/1229823"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45230"
},
{
"cve": "CVE-2024-45231",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45231"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45231",
"url": "https://www.suse.com/security/cve/CVE-2024-45231"
},
{
"category": "external",
"summary": "SUSE Bug 1229824 for CVE-2024-45231",
"url": "https://bugzilla.suse.com/1229824"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45231"
},
{
"cve": "CVE-2024-53907",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53907"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53907",
"url": "https://www.suse.com/security/cve/CVE-2024-53907"
},
{
"category": "external",
"summary": "SUSE Bug 1234232 for CVE-2024-53907",
"url": "https://bugzilla.suse.com/1234232"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-53907"
},
{
"cve": "CVE-2024-53908",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53908"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53908",
"url": "https://www.suse.com/security/cve/CVE-2024-53908"
},
{
"category": "external",
"summary": "SUSE Bug 1234231 for CVE-2024-53908",
"url": "https://bugzilla.suse.com/1234231"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2024-53908"
},
{
"cve": "CVE-2024-56374",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-56374"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-56374",
"url": "https://www.suse.com/security/cve/CVE-2024-56374"
},
{
"category": "external",
"summary": "SUSE Bug 1235856 for CVE-2024-56374",
"url": "https://bugzilla.suse.com/1235856"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-56374"
},
{
"cve": "CVE-2025-13372",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13372"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\n`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13372",
"url": "https://www.suse.com/security/cve/CVE-2025-13372"
},
{
"category": "external",
"summary": "SUSE Bug 1254437 for CVE-2025-13372",
"url": "https://bugzilla.suse.com/1254437"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-13372"
},
{
"cve": "CVE-2025-26699",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-26699"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-26699",
"url": "https://www.suse.com/security/cve/CVE-2025-26699"
},
{
"category": "external",
"summary": "SUSE Bug 1239052 for CVE-2025-26699",
"url": "https://bugzilla.suse.com/1239052"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-26699"
},
{
"cve": "CVE-2025-27556",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27556"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27556",
"url": "https://www.suse.com/security/cve/CVE-2025-27556"
},
{
"category": "external",
"summary": "SUSE Bug 1240772 for CVE-2025-27556",
"url": "https://bugzilla.suse.com/1240772"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-27556"
},
{
"cve": "CVE-2025-32873",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-32873"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-32873",
"url": "https://www.suse.com/security/cve/CVE-2025-32873"
},
{
"category": "external",
"summary": "SUSE Bug 1242210 for CVE-2025-32873",
"url": "https://bugzilla.suse.com/1242210"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-32873"
},
{
"cve": "CVE-2025-48432",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48432"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48432",
"url": "https://www.suse.com/security/cve/CVE-2025-48432"
},
{
"category": "external",
"summary": "SUSE Bug 1244095 for CVE-2025-48432",
"url": "https://bugzilla.suse.com/1244095"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-48432"
},
{
"cve": "CVE-2025-57833",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-57833"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-57833",
"url": "https://www.suse.com/security/cve/CVE-2025-57833"
},
{
"category": "external",
"summary": "SUSE Bug 1248810 for CVE-2025-57833",
"url": "https://bugzilla.suse.com/1248810"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-57833"
},
{
"cve": "CVE-2025-59681",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59681"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59681",
"url": "https://www.suse.com/security/cve/CVE-2025-59681"
},
{
"category": "external",
"summary": "SUSE Bug 1250485 for CVE-2025-59681",
"url": "https://bugzilla.suse.com/1250485"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-59681"
},
{
"cve": "CVE-2025-59682",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59682"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the \"startapp --template\" and \"startproject --template\" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59682",
"url": "https://www.suse.com/security/cve/CVE-2025-59682"
},
{
"category": "external",
"summary": "SUSE Bug 1250487 for CVE-2025-59682",
"url": "https://bugzilla.suse.com/1250487"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-59682"
},
{
"cve": "CVE-2025-64459",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64459"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64459",
"url": "https://www.suse.com/security/cve/CVE-2025-64459"
},
{
"category": "external",
"summary": "SUSE Bug 1252926 for CVE-2025-64459",
"url": "https://bugzilla.suse.com/1252926"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-64459"
},
{
"cve": "CVE-2025-64460",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64460"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64460",
"url": "https://www.suse.com/security/cve/CVE-2025-64460"
},
{
"category": "external",
"summary": "SUSE Bug 1254437 for CVE-2025-64460",
"url": "https://bugzilla.suse.com/1254437"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python312-Django6-6.0-1.1.x86_64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.aarch64",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.s390x",
"openSUSE Tumbleweed:python313-Django6-6.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-64460"
}
]
}
FKIE_CVE-2025-64460
Vulnerability from fkie_nvd - Published: 2025-12-02 16:15 - Updated: 2025-12-10 21:47
Severity ?
Summary
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
References
| URL | Tags | ||
|---|---|---|---|
| 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | https://docs.djangoproject.com/en/dev/releases/security/ | Patch, Vendor Advisory | |
| 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | https://groups.google.com/g/django-announce | Mailing List, Release Notes | |
| 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | https://www.djangoproject.com/weblog/2025/dec/02/security-releases/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | django | * | |
| djangoproject | django | * | |
| djangoproject | django | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5208B938-135B-4682-9340-C15B7329ABA6",
"versionEndExcluding": "4.2.27",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37B0F07E-F8EA-4DFF-8ED9-C60A79A9ED24",
"versionEndExcluding": "5.1.15",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C523418D-ACB5-4E97-9D05-6879B0F48344",
"versionEndExcluding": "5.2.9",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
}
],
"id": "CVE-2025-64460",
"lastModified": "2025-12-10T21:47:14.340",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-12-02T16:15:56.013",
"references": [
{
"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"
}
],
"sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-407"
}
],
"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"type": "Secondary"
}
]
}
SUSE-SU-2025:4384-1
Vulnerability from csaf_suse - Published: 2025-12-12 13:28 - Updated: 2025-12-12 13:28Summary
Security update for python-Django
Notes
Title of the patch
Security update for python-Django
Description of the patch
This update for python-Django fixes the following issues:
- CVE-2025-13372: Fixed SQL Injection in FilteredRelation (bsc#1254437)
- CVE-2025-64460: Fixed denial of service via specially crafted XML input in
django.core.serializers.xml_serializer.getInnerText() (bsc#1254437)
Patchnames
SUSE-2025-4384,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4384,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4384,openSUSE-SLE-15.6-2025-4384
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-Django",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-Django fixes the following issues:\n\n- CVE-2025-13372: Fixed SQL Injection in FilteredRelation (bsc#1254437)\n- CVE-2025-64460: Fixed denial of service via specially crafted XML input in \n django.core.serializers.xml_serializer.getInnerText() (bsc#1254437)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-4384,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4384,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4384,openSUSE-SLE-15.6-2025-4384",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4384-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:4384-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254384-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:4384-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023533.html"
},
{
"category": "self",
"summary": "SUSE Bug 1254437",
"url": "https://bugzilla.suse.com/1254437"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13372 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13372/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64460 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64460/"
}
],
"title": "Security update for python-Django",
"tracking": {
"current_release_date": "2025-12-12T13:28:27Z",
"generator": {
"date": "2025-12-12T13:28:27Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:4384-1",
"initial_release_date": "2025-12-12T13:28:27Z",
"revision_history": [
{
"date": "2025-12-12T13:28:27Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-Django-4.2.11-150600.3.44.1.noarch",
"product": {
"name": "python311-Django-4.2.11-150600.3.44.1.noarch",
"product_id": "python311-Django-4.2.11-150600.3.44.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:15:sp7"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django-4.2.11-150600.3.44.1.noarch as component of SUSE Linux Enterprise Module for Package Hub 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.44.1.noarch"
},
"product_reference": "python311-Django-4.2.11-150600.3.44.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django-4.2.11-150600.3.44.1.noarch as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.44.1.noarch"
},
"product_reference": "python311-Django-4.2.11-150600.3.44.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Django-4.2.11-150600.3.44.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.44.1.noarch"
},
"product_reference": "python311-Django-4.2.11-150600.3.44.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13372",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13372"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\n`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.44.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.44.1.noarch",
"openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.44.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13372",
"url": "https://www.suse.com/security/cve/CVE-2025-13372"
},
{
"category": "external",
"summary": "SUSE Bug 1254437 for CVE-2025-13372",
"url": "https://bugzilla.suse.com/1254437"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.44.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.44.1.noarch",
"openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.44.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.44.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.44.1.noarch",
"openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.44.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:28:27Z",
"details": "important"
}
],
"title": "CVE-2025-13372"
},
{
"cve": "CVE-2025-64460",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64460"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.44.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.44.1.noarch",
"openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.44.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64460",
"url": "https://www.suse.com/security/cve/CVE-2025-64460"
},
{
"category": "external",
"summary": "SUSE Bug 1254437 for CVE-2025-64460",
"url": "https://bugzilla.suse.com/1254437"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.44.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.44.1.noarch",
"openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.44.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.44.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.44.1.noarch",
"openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.44.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T13:28:27Z",
"details": "important"
}
],
"title": "CVE-2025-64460"
}
]
}
WID-SEC-W-2025-2717
Vulnerability from csaf_certbund - Published: 2025-12-02 23:00 - Updated: 2026-01-04 23:00Summary
Django: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Django ist ein in Python geschriebenes serverseitiges Web-Framework, das einem Model-View-Presenter-Schema folgt.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Django ausnutzen, um Informationen offenzulegen oder einen Denial of Service herbeizuführen.
Betroffene Betriebssysteme
- Linux
- MacOS X
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Django ist ein in Python geschriebenes serverseitiges Web-Framework, das einem Model-View-Presenter-Schema folgt.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Django ausnutzen, um Informationen offenzulegen oder einen Denial of Service herbeizuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- MacOS X\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2717 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2717.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2717 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2717"
},
{
"category": "external",
"summary": "Django security releases 5.2.9, 5.1.15, and 4.2.27 vom 2025-12-02",
"url": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7903-1 vom 2025-12-02",
"url": "https://ubuntu.com/security/notices/USN-7903-1"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2025-B1379D950D vom 2025-12-09",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-b1379d950d"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2025-C08E0795C0 vom 2025-12-09",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-c08e0795c0"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-EPEL-2025-F43C018F46 vom 2025-12-09",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-f43c018f46"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2025-45EE190318 vom 2025-12-09",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-45ee190318"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2025-24DFD3B072 vom 2025-12-09",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-24dfd3b072"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:0465-1 vom 2025-12-10",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5VE6F5VEPJWFH73OWN3SH3BDOIVULKWS/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4384-1 vom 2025-12-12",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2GK7CDYAUD6NNTNGXOGPHI7XFGAQRZZB/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025-20153-1 vom 2025-12-12",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NPP46EMICDLOI2JMRBNIEUVJTKHXYW6U/"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4425 vom 2025-12-30",
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00036.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10005-1 vom 2026-01-04",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q2P2OLHVQPGSXDJWCLPISPE3TAXPLR5K/"
}
],
"source_lang": "en-US",
"title": "Django: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-01-04T23:00:00.000+00:00",
"generator": {
"date": "2026-01-05T08:20:37.104+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2717",
"initial_release_date": "2025-12-02T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-12-02T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-12-09T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Fedora aufgenommen"
},
{
"date": "2025-12-10T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-12-14T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE und openSUSE aufgenommen"
},
{
"date": "2025-12-29T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2026-01-04T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von openSUSE aufgenommen"
}
],
"status": "final",
"version": "6"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Fedora Linux",
"product": {
"name": "Fedora Linux",
"product_id": "74185",
"product_identification_helper": {
"cpe": "cpe:/o:fedoraproject:fedora:-"
}
}
}
],
"category": "vendor",
"name": "Fedora"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.2.9",
"product": {
"name": "Open Source Django \u003c5.2.9",
"product_id": "T049019"
}
},
{
"category": "product_version",
"name": "5.2.9",
"product": {
"name": "Open Source Django 5.2.9",
"product_id": "T049019-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:djangoproject:django:5.2.9"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.1.15",
"product": {
"name": "Open Source Django \u003c5.1.15",
"product_id": "T049020"
}
},
{
"category": "product_version",
"name": "5.1.15",
"product": {
"name": "Open Source Django 5.1.15",
"product_id": "T049020-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:djangoproject:django:5.1.15"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.2.27",
"product": {
"name": "Open Source Django \u003c4.2.27",
"product_id": "T049021"
}
},
{
"category": "product_version",
"name": "4.2.27",
"product": {
"name": "Open Source Django 4.2.27",
"product_id": "T049021-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:djangoproject:django:4.2.27"
}
}
}
],
"category": "product_name",
"name": "Django"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13372",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T049021",
"T000126",
"T049020",
"T027843",
"T049019",
"74185"
]
},
"release_date": "2025-12-02T23:00:00.000+00:00",
"title": "CVE-2025-13372"
},
{
"cve": "CVE-2025-64460",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T049021",
"T000126",
"T049020",
"T027843",
"T049019",
"74185"
]
},
"release_date": "2025-12-02T23:00:00.000+00:00",
"title": "CVE-2025-64460"
}
]
}
RHSA-2026:0414
Vulnerability from csaf_redhat - Published: 2026-01-08 22:34 - Updated: 2026-01-21 14:10Summary
Red Hat Security Advisory: A Subscription Management tool for finding and reporting Red Hat product usage
Notes
Topic
A Subscription Management tool for finding and reporting Red Hat product usage
Details
Red Hat Discovery, also known as Discovery, is an inspection and reporting tool that finds,
identifies, and reports environment data, or facts, such as the number of physical and virtual
systems on a network, their operating systems, and relevant configuration data stored within
them. Discovery also identifies and reports more detailed facts for some versions of key
Red Hat packages and products that it finds in the network.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A Subscription Management tool for finding and reporting Red Hat product usage",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Discovery, also known as Discovery, is an inspection and reporting tool that finds,\nidentifies, and reports environment data, or facts, such as the number of physical and virtual\nsystems on a network, their operating systems, and relevant configuration data stored within\nthem. Discovery also identifies and reports more detailed facts for some versions of key\nRed Hat packages and products that it finds in the network.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0414",
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-5642",
"url": "https://access.redhat.com/security/cve/CVE-2024-5642"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-12816",
"url": "https://access.redhat.com/security/cve/CVE-2025-12816"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-15284",
"url": "https://access.redhat.com/security/cve/CVE-2025-15284"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-45582",
"url": "https://access.redhat.com/security/cve/CVE-2025-45582"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-4598",
"url": "https://access.redhat.com/security/cve/CVE-2025-4598"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59375",
"url": "https://access.redhat.com/security/cve/CVE-2025-59375"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59682",
"url": "https://access.redhat.com/security/cve/CVE-2025-59682"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6069",
"url": "https://access.redhat.com/security/cve/CVE-2025-6069"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6075",
"url": "https://access.redhat.com/security/cve/CVE-2025-6075"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61984",
"url": "https://access.redhat.com/security/cve/CVE-2025-61984"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61985",
"url": "https://access.redhat.com/security/cve/CVE-2025-61985"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-64460",
"url": "https://access.redhat.com/security/cve/CVE-2025-64460"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-64720",
"url": "https://access.redhat.com/security/cve/CVE-2025-64720"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-64756",
"url": "https://access.redhat.com/security/cve/CVE-2025-64756"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-65018",
"url": "https://access.redhat.com/security/cve/CVE-2025-65018"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-66031",
"url": "https://access.redhat.com/security/cve/CVE-2025-66031"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-66293",
"url": "https://access.redhat.com/security/cve/CVE-2025-66293"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-66418",
"url": "https://access.redhat.com/security/cve/CVE-2025-66418"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-8291",
"url": "https://access.redhat.com/security/cve/CVE-2025-8291"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-9714",
"url": "https://access.redhat.com/security/cve/CVE-2025-9714"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/subscription_central/1-latest/#Discovery",
"url": "https://docs.redhat.com/en/documentation/subscription_central/1-latest/#Discovery"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0414.json"
}
],
"title": "Red Hat Security Advisory: A Subscription Management tool for finding and reporting Red Hat product usage",
"tracking": {
"current_release_date": "2026-01-21T14:10:20+00:00",
"generator": {
"date": "2026-01-21T14:10:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0414",
"initial_release_date": "2026-01-08T22:34:17+00:00",
"revision_history": [
{
"date": "2026-01-08T22:34:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-08T22:34:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-21T14:10:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Discovery 2",
"product": {
"name": "Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:discovery:2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Discovery"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"product": {
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"product_id": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"product_identification_helper": {
"purl": "pkg:oci/discovery-server-rhel9@sha256%3Ad4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf?arch=amd64\u0026repository_url=registry.redhat.io/discovery\u0026tag=1767888970"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"product": {
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"product_id": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"product_identification_helper": {
"purl": "pkg:oci/discovery-ui-rhel9@sha256%3A899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee?arch=amd64\u0026repository_url=registry.redhat.io/discovery\u0026tag=1767904573"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"product": {
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"product_id": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"product_identification_helper": {
"purl": "pkg:oci/discovery-server-rhel9@sha256%3A75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543?arch=arm64\u0026repository_url=registry.redhat.io/discovery\u0026tag=1767888970"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64",
"product": {
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64",
"product_id": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/discovery-ui-rhel9@sha256%3A8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e?arch=arm64\u0026repository_url=registry.redhat.io/discovery\u0026tag=1767904573"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64 as a component of Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64"
},
"product_reference": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"relates_to_product_reference": "Red Hat Discovery 2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64 as a component of Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
},
"product_reference": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"relates_to_product_reference": "Red Hat Discovery 2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64 as a component of Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64"
},
"product_reference": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"relates_to_product_reference": "Red Hat Discovery 2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64 as a component of Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
},
"product_reference": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64",
"relates_to_product_reference": "Red Hat Discovery 2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-5642",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-06-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2294682"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Python/CPython that does not disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols(), which is an invalid value for the underlying OpenSSL API. This issue results in a buffer over-read when NPN is used. See CVE -2024-5535 for OpenSSL for more information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python: Invalid value for OpenSSL API may cause Buffer over-read when NPN is used",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with a Low severity due to NPN not being widely used and specifying an empty list is likely uncommon in practice. Typically, a protocol name would be configured.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-5642"
},
{
"category": "external",
"summary": "RHBZ#2294682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-5642",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5642"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-5642",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5642"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/"
}
],
"release_date": "2024-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "python: Invalid value for OpenSSL API may cause Buffer over-read when NPN is used"
},
{
"cve": "CVE-2025-4598",
"cwe": {
"id": "CWE-364",
"name": "Signal Handler Race Condition"
},
"discovery_date": "2025-05-29T19:04:54.578000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2369242"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original\u0027s privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.\n\nA SUID binary or process has a special type of permission, which allows the process to run with the file owner\u0027s permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original\u0027s SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "systemd-coredump: race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw was rated as having a severity of Moderate due to the complexity to exploit this flaw. The attacker needs to setup a way to win the race condition and have an unprivileged local account to successfully exploit this vulnerability.\n\nBy default Red Hat Enterprise Linux 8 doesn\u0027t allow systemd-coredump to create dumps of SUID programs as the /proc/sys/fs/suid_dumpable is set to 0, disabling by default this capability.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-364: Signal Handler Race Condition vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat enforces least functionality by enabling only essential features, services, and ports to reduce the system\u2019s attack surface. Static code analysis, peer reviews, and strong input validation detect unsafe input that could influence execution timing or path resolution. Real-time threat detection, including IPS/IDS, antimalware, and continuous monitoring, supports rapid identification of exploitation attempts. Process isolation and Kubernetes orchestration minimize the risk of concurrent execution conflicts and contain potential impacts. Executable search paths are limited to trusted, explicitly defined directories, reducing the risk of executing malicious files. Additionally, signal handling is implemented using secure development practices that mitigate asynchronous execution risks, and workloads run in environments that abstract direct signal management.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-4598"
},
{
"category": "external",
"summary": "RHBZ#2369242",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369242"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-4598",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4598"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4598",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4598"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2025/05/29/3",
"url": "https://www.openwall.com/lists/oss-security/2025/05/29/3"
}
],
"release_date": "2025-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "This issue can be mitigated by disabling the capability of the system to generate a coredump for SUID binaries. The perform that, the following command can be ran as `root` user:\n\n~~~\necho 0 \u003e /proc/sys/fs/suid_dumpable\n~~~\n\nWhile this mitigates this vulnerability while it\u0027s not possible to update the systemd package, it disables the capability of analyzing crashes for such binaries.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "systemd-coredump: race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump"
},
{
"cve": "CVE-2025-6069",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2025-06-17T14:00:45.339399+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373234"
}
],
"notes": [
{
"category": "description",
"text": "A denial-of-service (DoS) vulnerability has been discovered in Python\u0027s html.parser.HTMLParser class. When processing specially malformed HTML input, the parsing runtime can become quadratic with respect to the input size. This significantly increased processing time can lead to excessive resource consumption, ultimately causing a denial-of-service condition in applications that rely on this parser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cpython: Python HTMLParser quadratic complexity",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-1333: Inefficient Regular Expression Complexity and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nBaseline configurations enforce secure coding practices that restrict the use of inefficient or vulnerable regular expression patterns known to cause excessive backtracking or resource consumption. Input validation routines sanitize and constrain user input before it is evaluated by regular expressions, reducing the risk of triggering regex-related performance issues. Real-time system monitoring detects abnormal CPU usage or request latency indicative of inefficient regex execution, enabling timely investigation and response.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6069"
},
{
"category": "external",
"summary": "RHBZ#2373234",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373234"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6069"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6069",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6069"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949",
"url": "https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41",
"url": "https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b",
"url": "https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/135462",
"url": "https://github.com/python/cpython/issues/135462"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/pull/135464",
"url": "https://github.com/python/cpython/pull/135464"
}
],
"release_date": "2025-06-17T13:39:46.058000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cpython: Python HTMLParser quadratic complexity"
},
{
"cve": "CVE-2025-6075",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-31T17:01:47.052517+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2408891"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in Python\u2019s os.path.expandvars() function that can cause performance degradation. When processing specially crafted, user-controlled input with nested environment variable patterns, the function exhibits quadratic time complexity, potentially leading to excessive CPU usage and denial of service (DoS) conditions. No code execution or data exposure occurs, so the impact is limited to performance slowdown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python: Quadratic complexity in os.path.expandvars() with user-controlled template",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low rather than Moderate because it only causes a performance inefficiency without affecting code execution, data integrity, or confidentiality. The flaw lies in the algorithmic complexity of os.path.expandvars(), which can become quadratic when processing crafted input containing repetitive or nested environment variable references. Exploitation requires the attacker to control the input string passed to this function, which is uncommon in secure applications. Moreover, the impact is limited to increased CPU utilization and potential slowdown, not system compromise or data manipulation. Since the issue does not introduce memory corruption, privilege escalation, or information disclosure risks, its overall impact scope and exploitability are minimal, justifying a Low severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6075"
},
{
"category": "external",
"summary": "RHBZ#2408891",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408891"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6075"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6075",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6075"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/136065",
"url": "https://github.com/python/cpython/issues/136065"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/"
}
],
"release_date": "2025-10-31T16:41:34.983000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "python: Quadratic complexity in os.path.expandvars() with user-controlled template"
},
{
"cve": "CVE-2025-8291",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2025-10-07T19:01:23.599055+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2402342"
}
],
"notes": [
{
"category": "description",
"text": "The \u0027zipfile\u0027 module would not check the validity of the ZIP64 End of\nCentral Directory (EOCD) Locator record offset value would not be used to\nlocate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be\nassumed to be the previous record in the ZIP archive. This could be abused\nto create ZIP archives that are handled differently by the \u0027zipfile\u0027 module\ncompared to other ZIP implementations.\n\n\nRemediation maintains this behavior, but checks that the offset specified\nin the ZIP64 EOCD Locator record matches the expected value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cpython: python: Python zipfile End of Central Directory (EOCD) Locator record offset not checked",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-8291"
},
{
"category": "external",
"summary": "RHBZ#2402342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-8291",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8291"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-8291",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8291"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267",
"url": "https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6",
"url": "https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/139700",
"url": "https://github.com/python/cpython/issues/139700"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/pull/139702",
"url": "https://github.com/python/cpython/pull/139702"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/"
}
],
"release_date": "2025-10-07T18:10:05.908000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cpython: python: Python zipfile End of Central Directory (EOCD) Locator record offset not checked"
},
{
"cve": "CVE-2025-9714",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"discovery_date": "2025-09-02T13:03:56.452000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2392605"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libxstl/libxml2. The \u0027exsltDynMapFunction\u0027 function in libexslt/dynamic.c does not contain a recursion depth check, which may cause an infinite loop via a specially crafted XSLT document while handling \u0027dyn:map()\u0027, leading to stack exhaustion and a local denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No evidence was found for arbitrary memory corruption through this flaw, limiting its impact to Availability only, and reducing its severity to Moderate.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-606: Unchecked Input for Loop Condition vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nInput validation controls are in place, which ensure that any input controlling loop behavior is validated against strict criteria like type, length, and range before being processed. This prevents malicious or abnormal inputs from causing excessive or infinite iterations, thereby avoiding logic errors or system overloads. Memory protection controls such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protect the system\u2019s memory from overuse or corruption if an unchecked input were to cause a loop to execute excessively. It ensures that memory is safely allocated and accessed, reducing the risks of buffer overflows, resource exhaustion, or crashes. Lastly, the implementation of security engineering principles dictates the use of secure coding practices, such as input validation, loop iteration limits, and error handling, are integrated during system design and development.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9714"
},
{
"category": "external",
"summary": "RHBZ#2392605",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392605"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9714"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9714",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9714"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/148",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/148"
}
],
"release_date": "2025-09-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "The impact of this flaw may be reduced by setting strict resource limits to the stack size of processes at the operational system level. This can be achieved either through the \u0027ulimit\u0027 shell built-in or the \u0027limits.conf\u0027 file.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c"
},
{
"cve": "CVE-2025-12816",
"cwe": {
"id": "CWE-179",
"name": "Incorrect Behavior Order: Early Validation"
},
"discovery_date": "2025-11-25T20:01:05.875196+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2417097"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in node-forge. This vulnerability allows unauthenticated attackers to bypass downstream cryptographic verifications and security decisions via crafting ASN.1 (Abstract Syntax Notation One) structures to desynchronize schema validations, yielding a semantic divergence.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "node-forge: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products due to an interpretation conflict in the node-forge library. An unauthenticated attacker could exploit this flaw by crafting malicious ASN.1 structures, leading to a bypass of cryptographic verifications and security decisions in affected applications. This impacts various Red Hat products that utilize node-forge for cryptographic operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12816"
},
{
"category": "external",
"summary": "RHBZ#2417097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12816"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12816",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12816"
},
{
"category": "external",
"summary": "https://github.com/digitalbazaar/forge",
"url": "https://github.com/digitalbazaar/forge"
},
{
"category": "external",
"summary": "https://github.com/digitalbazaar/forge/pull/1124",
"url": "https://github.com/digitalbazaar/forge/pull/1124"
},
{
"category": "external",
"summary": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq",
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/521113",
"url": "https://kb.cert.org/vuls/id/521113"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/node-forge",
"url": "https://www.npmjs.com/package/node-forge"
}
],
"release_date": "2025-11-25T19:15:50.243000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "node-forge: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications"
},
{
"cve": "CVE-2025-15284",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-12-29T23:00:58.541337+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2425946"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in qs, a module used for parsing query strings. A remote attacker can exploit an improper input validation vulnerability by sending specially crafted HTTP requests that use bracket notation (e.g., `a[]=value`). This bypasses the `arrayLimit` option, which is designed to limit the size of parsed arrays and prevent resource exhaustion. Successful exploitation can lead to memory exhaustion, causing a Denial of Service (DoS) where the application crashes or becomes unresponsive, making the service unavailable to users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "qs: qs: Denial of Service via improper input validation in array parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products that utilize the `qs` module for parsing query strings, particularly when processing user-controlled input with bracket notation. The `arrayLimit` option, intended to prevent resource exhaustion, is bypassed when bracket notation (`a[]=value`) is used, allowing a remote attacker to cause a denial of service through memory exhaustion. This can lead to application crashes or unresponsiveness, making the service unavailable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15284"
},
{
"category": "external",
"summary": "RHBZ#2425946",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425946"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9",
"url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p",
"url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p"
}
],
"release_date": "2025-12-29T22:56:45.240000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "qs: qs: Denial of Service via improper input validation in array parsing"
},
{
"cve": "CVE-2025-45582",
"cwe": {
"id": "CWE-24",
"name": "Path Traversal: \u0027../filedir\u0027"
},
"discovery_date": "2025-07-11T17:00:47.340822+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379592"
}
],
"notes": [
{
"category": "description",
"text": "A relative path traversal flaw was found in the gnu tar utility. When archives with relative paths are extracted without the \u2018--keep-old-files\u2019 (\u2018-k\u2019), the extraction process may overwrite existing files that the current user has access to. The server may be impacted if these files are critical to the operation of some service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tar: Tar path traversal",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-24: Path Traversal: \u0027../filedir\u0027 and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nBaseline configurations enforce strict privilege levels for code execution, allowing only authorized processes to access or modify files within approved directories. Input validation sanitizes and verifies user-supplied file paths against defined patterns, blocking traversal sequences that could enable unauthorized access outside designated locations. Configuration settings further restrict directory and file system access, ensuring applications operate within approved resources and execution boundaries.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-45582"
},
{
"category": "external",
"summary": "RHBZ#2379592",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379592"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-45582",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-45582"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-45582",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45582"
},
{
"category": "external",
"summary": "https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md",
"url": "https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md"
},
{
"category": "external",
"summary": "https://www.gnu.org/software/tar/",
"url": "https://www.gnu.org/software/tar/"
},
{
"category": "external",
"summary": "https://www.gnu.org/software/tar/manual/html_node/Integrity.html#Integrity",
"url": "https://www.gnu.org/software/tar/manual/html_node/Integrity.html#Integrity"
}
],
"release_date": "2025-07-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tar: Tar path traversal"
},
{
"cve": "CVE-2025-59375",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-09-15T03:00:59.775098+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2395108"
}
],
"notes": [
{
"category": "description",
"text": "A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is Important rather than Critical because, while it allows for significant resource exhaustion leading to denial-of-service (DoS), it does not enable arbitrary code execution, data leakage, or privilege escalation. The vulnerability stems from an uncontrolled memory amplification behavior in libexpat\u2019s parser, where a relatively small XML payload can cause disproportionately large heap allocations. However, the flaw is limited in scope to service disruption and requires the attacker to submit a crafted XML document\u2014something that can be mitigated with proper input validation and memory usage limits. Therefore, while the exploitability is high, the impact is confined to availability, not confidentiality or integrity, making it a high-severity but not critical flaw.\n\nIn Firefox and Thunderbird, where libexpat is a transitive userspace dependency, exploitation usually just crashes the application (app-level DoS), so it is classify as Moderate instead of Important.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59375"
},
{
"category": "external",
"summary": "RHBZ#2395108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59375"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375"
},
{
"category": "external",
"summary": "https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74",
"url": "https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74"
},
{
"category": "external",
"summary": "https://github.com/libexpat/libexpat/issues/1018",
"url": "https://github.com/libexpat/libexpat/issues/1018"
},
{
"category": "external",
"summary": "https://github.com/libexpat/libexpat/pull/1034",
"url": "https://github.com/libexpat/libexpat/pull/1034"
},
{
"category": "external",
"summary": "https://issues.oss-fuzz.com/issues/439133977",
"url": "https://issues.oss-fuzz.com/issues/439133977"
}
],
"release_date": "2025-09-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "To mitigate the issue, limit XML input size and complexity before parsing, and avoid accepting compressed or deeply nested XML. Use OS-level resource controls (like ulimit or setrlimit()) to cap memory usage, or run the parser in a sandboxed or isolated process with strict memory and CPU limits. This helps prevent denial-of-service by containing excessive resource consumption.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing"
},
{
"cve": "CVE-2025-59682",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-09-30T13:18:31.746000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2400450"
}
],
"notes": [
{
"category": "description",
"text": "An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the \"startapp --template\" and \"startproject --template\" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "django: Potential partial directory-traversal via archive.extract()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59682"
},
{
"category": "external",
"summary": "RHBZ#2400450",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2400450"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59682",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59682"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59682",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59682"
}
],
"release_date": "2025-10-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "django: Potential partial directory-traversal via archive.extract()"
},
{
"cve": "CVE-2025-61984",
"cwe": {
"id": "CWE-159",
"name": "Improper Handling of Invalid Use of Special Elements"
},
"discovery_date": "2025-10-06T19:01:13.449665+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2401960"
}
],
"notes": [
{
"category": "description",
"text": "ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The impact is MODERATE because it is a critical component used across many Red Hat products.\nThe issue occurs only when a ProxyCommand is configured and the SSH client handles a username containing control characters from an untrusted source, such as script-generated input or expanded configuration values.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61984"
},
{
"category": "external",
"summary": "RHBZ#2401960",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2401960"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61984",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61984"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61984",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61984"
},
{
"category": "external",
"summary": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
},
{
"category": "external",
"summary": "https://www.openssh.com/releasenotes.html#10.1p1",
"url": "https://www.openssh.com/releasenotes.html#10.1p1"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2025/10/06/1",
"url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
}
],
"release_date": "2025-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand"
},
{
"cve": "CVE-2025-61985",
"cwe": {
"id": "CWE-158",
"name": "Improper Neutralization of Null Byte or NUL Character"
},
"discovery_date": "2025-10-06T19:01:16.841946+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2401962"
}
],
"notes": [
{
"category": "description",
"text": "ssh in OpenSSH before 10.1 allows the \u0027\\0\u0027 character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The impact is MODERATE because it is a critical component used across many Red Hat products.\nExploiting this vulnerability would require a specific configuration where ProxyCommand is enabled and the SSH client processes an untrusted ssh:// URI containing null bytes. Under these conditions, the command parser may misinterpret the URI and execute unintended shell commands.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61985"
},
{
"category": "external",
"summary": "RHBZ#2401962",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2401962"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61985",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61985"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61985",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61985"
},
{
"category": "external",
"summary": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
},
{
"category": "external",
"summary": "https://www.openssh.com/releasenotes.html#10.1p1",
"url": "https://www.openssh.com/releasenotes.html#10.1p1"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2025/10/06/1",
"url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
}
],
"release_date": "2025-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand"
},
{
"cve": "CVE-2025-64460",
"cwe": {
"id": "CWE-407",
"name": "Inefficient Algorithmic Complexity"
},
"discovery_date": "2025-12-02T16:01:05.300335+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Django. This vulnerability allows a remote attacker to cause a potential denial-of-service (DoS) attack triggering Central Processing Unit (CPU) and memory exhaustion via specially crafted Extensible Markup Language (XML) input processed by the XML Deserializer.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Django: Django: Algorithmic complexity in XML Deserializer leads to denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products that process XML input using Django\u0027s XML Deserializer, including Red Hat Ansible Automation Platform, Red Hat OpenStack Platform, and OpenShift Service Mesh. A remote attacker can exploit this flaw by providing specially crafted XML, leading to a denial-of-service due to CPU and memory exhaustion.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-64460"
},
{
"category": "external",
"summary": "RHBZ#2418366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-64460",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64460"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-64460",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64460"
},
{
"category": "external",
"summary": "https://docs.djangoproject.com/en/dev/releases/security/",
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"category": "external",
"summary": "https://groups.google.com/g/django-announce",
"url": "https://groups.google.com/g/django-announce"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases/",
"url": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"
}
],
"release_date": "2025-12-02T15:15:34.451000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Django: Django: Algorithmic complexity in XML Deserializer leads to denial of service"
},
{
"cve": "CVE-2025-64720",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-11-25T00:00:54.081073+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416904"
}
],
"notes": [
{
"category": "description",
"text": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component \u2264 alpha \u00d7 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libpng: LIBPNG buffer overflow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products. An out-of-bounds read in libpng can occur when processing specially crafted palette images with `PNG_FLAG_OPTIMIZE_ALPHA` enabled. Successful exploitation requires a user to process a malicious PNG file, leading to potential application crash or information disclosure.\n\njava-*-openjdk-headless packages do not contain libsplashscreen.so, hence are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-64720"
},
{
"category": "external",
"summary": "RHBZ#2416904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-64720",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64720"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-64720",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64720"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643",
"url": "https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/issues/686",
"url": "https://github.com/pnggroup/libpng/issues/686"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/pull/751",
"url": "https://github.com/pnggroup/libpng/pull/751"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww",
"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww"
}
],
"release_date": "2025-11-24T23:45:38.315000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libpng: LIBPNG buffer overflow"
},
{
"cve": "CVE-2025-64756",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2025-11-17T18:01:28.077927+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2415451"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in glob. This vulnerability allows arbitrary command execution via processing files with malicious names when the glob command-line interface (CLI) is used with the -c/--cmd option, enabling shell metacharacters to trigger command injection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob: glob: Command Injection Vulnerability via Malicious Filenames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw in glob allows arbitrary command execution when the `glob` command-line interface is used with the `-c/--cmd` option to process files with malicious names. The vulnerability is triggered by shell metacharacters in filenames, leading to command injection. The glob CLI tool utilizes the -c option to execute shell commands over the files which matched the searched pattern by using the shell:true parameter when creating the subprocess which will further execute the command informed via \u0027-c\u0027 option, this parameter allows the shell meta characters to be used and processed when executing the command. Given that information glob misses to sanitize the file name to eliminate such characters and expressions from the filename, leading to code execution as when performing the shell expansion such characters will be interpreted as shell commands.\n\nTo exploit this vulnerability the targeted system should run the glob CLI over a file with a maliciously crafted filename, additionally the attacker needs to have enough permission to create such file or trick the user to download and process the required file with the glob CLI.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-64756"
},
{
"category": "external",
"summary": "RHBZ#2415451",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2415451"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-64756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64756"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"category": "external",
"summary": "https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146",
"url": "https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146"
},
{
"category": "external",
"summary": "https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2",
"url": "https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2"
}
],
"release_date": "2025-11-17T17:29:08.029000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "To mitigate this issue, avoid using the `glob` command-line interface with the `-c` or `--cmd` option when processing filenames from untrusted sources. If programmatic use of `glob` is necessary, ensure that filenames are thoroughly sanitized before being passed to commands executed with shell interpretation enabled.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "glob: glob: Command Injection Vulnerability via Malicious Filenames"
},
{
"cve": "CVE-2025-65018",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2025-11-25T00:01:05.570152+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2416907"
}
],
"notes": [
{
"category": "description",
"text": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libpng: LIBPNG heap buffer overflow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products. A heap buffer overflow exists in the libpng library\u0027s png_image_finish_read function when processing specially crafted 16-bit interlaced PNG images with an 8-bit output format. Successful exploitation requires a user or an automated system to process a malicious PNG file, which could lead to application crashes or arbitrary code execution.\n\njava-*-openjdk-headless packages do not contain libsplashscreen.so, hence are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-65018"
},
{
"category": "external",
"summary": "RHBZ#2416907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416907"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-65018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-65018"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-65018",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65018"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d",
"url": "https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea",
"url": "https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/issues/755",
"url": "https://github.com/pnggroup/libpng/issues/755"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/pull/757",
"url": "https://github.com/pnggroup/libpng/pull/757"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g",
"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g"
}
],
"release_date": "2025-11-24T23:50:18.294000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libpng: LIBPNG heap buffer overflow"
},
{
"cve": "CVE-2025-66031",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-11-26T23:01:36.363253+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2417397"
}
],
"notes": [
{
"category": "description",
"text": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "node-forge: node-forge ASN.1 Unbounded Recursion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66031"
},
{
"category": "external",
"summary": "RHBZ#2417397",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417397"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66031"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66031",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66031"
},
{
"category": "external",
"summary": "https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451",
"url": "https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451"
},
{
"category": "external",
"summary": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27",
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27"
}
],
"release_date": "2025-11-26T22:23:26.013000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "node-forge: node-forge ASN.1 Unbounded Recursion"
},
{
"cve": "CVE-2025-66293",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-12-03T21:00:59.956903+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418711"
}
],
"notes": [
{
"category": "description",
"text": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng\u0027s simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng\u0027s internal state management. Upgrade to libpng 1.6.52 or later.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libpng: LIBPNG out-of-bounds read in png_image_read_composite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products as it affects libpng, a widely used library for processing PNG images. An out-of-bounds read can occur in libpng\u0027s simplified API when handling specially crafted PNG images with partial transparency and gamma correction. This could lead to information disclosure or application crashes in software that processes untrusted PNG files using affected versions of libpng.\n\njava-*-openjdk-headless packages do not contain libsplashscreen.so, hence are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66293"
},
{
"category": "external",
"summary": "RHBZ#2418711",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418711"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66293"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66293",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66293"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1",
"url": "https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a",
"url": "https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/issues/764",
"url": "https://github.com/pnggroup/libpng/issues/764"
},
{
"category": "external",
"summary": "https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f",
"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f"
}
],
"release_date": "2025-12-03T20:33:57.086000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libpng: LIBPNG out-of-bounds read in png_image_read_composite"
},
{
"cve": "CVE-2025-66418",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-12-05T17:01:20.277857+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419455"
}
],
"notes": [
{
"category": "description",
"text": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66418"
},
{
"category": "external",
"summary": "RHBZ#2419455",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419455"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66418",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66418"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66418",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66418"
},
{
"category": "external",
"summary": "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8",
"url": "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8"
},
{
"category": "external",
"summary": "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53",
"url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53"
}
],
"release_date": "2025-12-05T16:02:15.271000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-08T22:34:17+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:d4e8987a100ea60942306f1564679e51fa1364f6124fbfb3100959f83a1f16bf_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:8af6fd7c8fe38d6bfd22e42810badde0aeeae738ea28667ae29dbc0cf4266f3e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…