Action not permitted
Modal body text goes here.
Modal Title
Modal Body
ubuntu-cve-2026-1207
Vulnerability from osv_ubuntu
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "python-django",
"binary_version": "1:1.11.11-1ubuntu1.21+esm14"
},
{
"binary_name": "python-django-common",
"binary_version": "1:1.11.11-1ubuntu1.21+esm14"
},
{
"binary_name": "python3-django",
"binary_version": "1:1.11.11-1ubuntu1.21+esm14"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@1:1.11.11-1ubuntu1.21+esm14?arch=source\u0026distro=esm-infra/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.11.11-1ubuntu1.21+esm14"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:1.11.4-1ubuntu1",
"1:1.11.6-1ubuntu1",
"1:1.11.9-1ubuntu1",
"1:1.11.11-1ubuntu1",
"1:1.11.11-1ubuntu1.1",
"1:1.11.11-1ubuntu1.2",
"1:1.11.11-1ubuntu1.3",
"1:1.11.11-1ubuntu1.4",
"1:1.11.11-1ubuntu1.5",
"1:1.11.11-1ubuntu1.6",
"1:1.11.11-1ubuntu1.7",
"1:1.11.11-1ubuntu1.8",
"1:1.11.11-1ubuntu1.9",
"1:1.11.11-1ubuntu1.10",
"1:1.11.11-1ubuntu1.11",
"1:1.11.11-1ubuntu1.12",
"1:1.11.11-1ubuntu1.13",
"1:1.11.11-1ubuntu1.14",
"1:1.11.11-1ubuntu1.15",
"1:1.11.11-1ubuntu1.16",
"1:1.11.11-1ubuntu1.17",
"1:1.11.11-1ubuntu1.18",
"1:1.11.11-1ubuntu1.19",
"1:1.11.11-1ubuntu1.20",
"1:1.11.11-1ubuntu1.21",
"1:1.11.11-1ubuntu1.21+esm1",
"1:1.11.11-1ubuntu1.21+esm2",
"1:1.11.11-1ubuntu1.21+esm3",
"1:1.11.11-1ubuntu1.21+esm4",
"1:1.11.11-1ubuntu1.21+esm5",
"1:1.11.11-1ubuntu1.21+esm6",
"1:1.11.11-1ubuntu1.21+esm7",
"1:1.11.11-1ubuntu1.21+esm8",
"1:1.11.11-1ubuntu1.21+esm9",
"1:1.11.11-1ubuntu1.21+esm10",
"1:1.11.11-1ubuntu1.21+esm11",
"1:1.11.11-1ubuntu1.21+esm12",
"1:1.11.11-1ubuntu1.21+esm13"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "python3-django",
"binary_version": "2:2.2.12-1ubuntu0.29+esm7"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@2:2.2.12-1ubuntu0.29+esm7?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.2.12-1ubuntu0.29+esm7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:1.11.22-1ubuntu1",
"2:2.2.6-1ubuntu1",
"2:2.2.9-2ubuntu1",
"2:2.2.10-1",
"2:2.2.10-1ubuntu1",
"2:2.2.11-1",
"2:2.2.12-1",
"2:2.2.12-1ubuntu0.1",
"2:2.2.12-1ubuntu0.2",
"2:2.2.12-1ubuntu0.3",
"2:2.2.12-1ubuntu0.4",
"2:2.2.12-1ubuntu0.5",
"2:2.2.12-1ubuntu0.6",
"2:2.2.12-1ubuntu0.7",
"2:2.2.12-1ubuntu0.8",
"2:2.2.12-1ubuntu0.9",
"2:2.2.12-1ubuntu0.10",
"2:2.2.12-1ubuntu0.11",
"2:2.2.12-1ubuntu0.12",
"2:2.2.12-1ubuntu0.13",
"2:2.2.12-1ubuntu0.14",
"2:2.2.12-1ubuntu0.15",
"2:2.2.12-1ubuntu0.16",
"2:2.2.12-1ubuntu0.17",
"2:2.2.12-1ubuntu0.18",
"2:2.2.12-1ubuntu0.19",
"2:2.2.12-1ubuntu0.20",
"2:2.2.12-1ubuntu0.21",
"2:2.2.12-1ubuntu0.22",
"2:2.2.12-1ubuntu0.23",
"2:2.2.12-1ubuntu0.24",
"2:2.2.12-1ubuntu0.25",
"2:2.2.12-1ubuntu0.26",
"2:2.2.12-1ubuntu0.27",
"2:2.2.12-1ubuntu0.28",
"2:2.2.12-1ubuntu0.29",
"2:2.2.12-1ubuntu0.29+esm1",
"2:2.2.12-1ubuntu0.29+esm2",
"2:2.2.12-1ubuntu0.29+esm3",
"2:2.2.12-1ubuntu0.29+esm4",
"2:2.2.12-1ubuntu0.29+esm5",
"2:2.2.12-1ubuntu0.29+esm6"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "python3-django",
"binary_version": "2:3.2.12-2ubuntu1.25"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@2:3.2.12-2ubuntu1.25?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:3.2.12-2ubuntu1.25"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:2.2.24-1ubuntu1",
"2:3.2.12-2",
"2:3.2.12-2ubuntu1",
"2:3.2.12-2ubuntu1.1",
"2:3.2.12-2ubuntu1.2",
"2:3.2.12-2ubuntu1.3",
"2:3.2.12-2ubuntu1.4",
"2:3.2.12-2ubuntu1.5",
"2:3.2.12-2ubuntu1.6",
"2:3.2.12-2ubuntu1.7",
"2:3.2.12-2ubuntu1.8",
"2:3.2.12-2ubuntu1.9",
"2:3.2.12-2ubuntu1.10",
"2:3.2.12-2ubuntu1.11",
"2:3.2.12-2ubuntu1.12",
"2:3.2.12-2ubuntu1.13",
"2:3.2.12-2ubuntu1.14",
"2:3.2.12-2ubuntu1.15",
"2:3.2.12-2ubuntu1.16",
"2:3.2.12-2ubuntu1.17",
"2:3.2.12-2ubuntu1.18",
"2:3.2.12-2ubuntu1.19",
"2:3.2.12-2ubuntu1.20",
"2:3.2.12-2ubuntu1.21",
"2:3.2.12-2ubuntu1.22",
"2:3.2.12-2ubuntu1.23",
"2:3.2.12-2ubuntu1.24"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "python3-django",
"binary_version": "3:4.2.11-1ubuntu1.14"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@3:4.2.11-1ubuntu1.14?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:4.2.11-1ubuntu1.14"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3:4.2.4-1ubuntu2",
"3:4.2.8-1",
"3:4.2.9-1",
"3:4.2.11-1",
"3:4.2.11-1ubuntu1",
"3:4.2.11-1ubuntu1.1",
"3:4.2.11-1ubuntu1.2",
"3:4.2.11-1ubuntu1.3",
"3:4.2.11-1ubuntu1.4",
"3:4.2.11-1ubuntu1.5",
"3:4.2.11-1ubuntu1.6",
"3:4.2.11-1ubuntu1.7",
"3:4.2.11-1ubuntu1.8",
"3:4.2.11-1ubuntu1.9",
"3:4.2.11-1ubuntu1.10",
"3:4.2.11-1ubuntu1.11",
"3:4.2.11-1ubuntu1.12",
"3:4.2.11-1ubuntu1.13"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "python3-django",
"binary_version": "3:5.2.4-1ubuntu2.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@3:5.2.4-1ubuntu2.3?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:5.2.4-1ubuntu2.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3:4.2.18-1ubuntu1",
"3:4.2.18-1ubuntu1.1",
"3:5.2.4-1",
"3:5.2.4-1ubuntu1",
"3:5.2.4-1ubuntu2",
"3:5.2.4-1ubuntu2.1",
"3:5.2.4-1ubuntu2.2"
]
}
],
"aliases": [],
"details": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.",
"id": "UBUNTU-CVE-2026-1207",
"modified": "2026-06-30T16:18:32Z",
"published": "2026-02-03T14:00:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-1207"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1207"
},
{
"type": "REPORT",
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8009-1"
}
],
"related": [
"USN-8009-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-1207"
]
}
CVE-2026-1207 (GCVE-0-2026-1207)
Vulnerability from cvelistv5 – Published: 2026-02-03 14:35 – Updated: 2026-07-15 01:23- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | Django |
Affected:
6.0 , < 6.0.2
(semver)
Unaffected: 6.0.2 (semver) Affected: 5.2 , < 5.2.11 (semver) Unaffected: 5.2.11 (semver) Affected: 4.2 , < 4.2.28 (semver) Unaffected: 4.2.28 (semver) |
|
| Red Hat | Red Hat Ansible Automation Platform 2.5 for RHEL 8 |
Unaffected:
0:4.2.28-1.el8ap , < *
(rpm)
cpe:/a:redhat:ansible_automation_platform:2.5::el8 |
|
| Red Hat | Red Hat Ansible Automation Platform 2.5 for RHEL 9 |
Unaffected:
0:4.2.28-1.el9ap , < *
(rpm)
cpe:/a:redhat:ansible_automation_platform:2.5::el9 |
|
| Red Hat | Red Hat Ansible Automation Platform 2.6 for RHEL 9 |
Unaffected:
0:4.2.28-1.el9ap , < *
(rpm)
cpe:/a:redhat:ansible_automation_platform:2.6::el9 |
|
| Red Hat | Red Hat Satellite 6.16 for RHEL 8 |
Unaffected:
0:4.2.28-0.1.el8pc , < *
(rpm)
cpe:/a:redhat:satellite:6.16::el8 cpe:/a:redhat:satellite_capsule:6.16::el8 |
|
| Red Hat | Red Hat Satellite 6.16 for RHEL 9 |
Unaffected:
0:4.2.28-0.1.el9pc , < *
(rpm)
cpe:/a:redhat:satellite:6.16::el9 cpe:/a:redhat:satellite_capsule:6.16::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:3.14.0.14-1.el9sat , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:0.1.23-0.3.el9pc , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:1.2.0-0.1.el9pc , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:4.2.28-0.1.el9pc , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:2.22.3-1.el9pc , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:3.27.10-2.el9pc , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:1.5.1-1.el9sat , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:0.4.3-1.el9sat , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:4.16.0.14-1.el9sat , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:0.13.0-1.el9sat , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:6.17.7-1.el9sat , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:0.0.3-4.el9sat , < *
(rpm)
cpe:/a:redhat:satellite_maintenance:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Red Hat Satellite 6.18 for RHEL 9 |
Unaffected:
0:4.2.30-1.el9pc , < *
(rpm)
cpe:/a:redhat:satellite:6.18::el9 cpe:/a:redhat:satellite_capsule:6.18::el9 |
|
| Red Hat | Red Hat Ansible Automation Platform 2.5 |
Unaffected:
1772214630 , < *
(rpm)
cpe:/a:redhat:ansible_automation_platform:2.5::el8 |
|
| Red Hat | Red Hat Ansible Automation Platform 2.6 |
Unaffected:
1772552788 , < *
(rpm)
cpe:/a:redhat:ansible_automation_platform:2.6::el9 |
|
| Red Hat | Red Hat Discovery 2 |
Unaffected:
1770913597 , < *
(rpm)
cpe:/a:redhat:discovery:2::el9 |
|
| Red Hat | Red Hat Satellite 6.18 |
Unaffected:
1773451075 , < *
(rpm)
cpe:/a:redhat:satellite:6.18::el9 |
|
| Red Hat | Red Hat Ansible Automation Platform 2 |
cpe:/a:redhat:ansible_automation_platform:2 |
|
| Red Hat | Red Hat OpenStack Platform 16.2 |
cpe:/a:redhat:openstack:16.2 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 |
cpe:/a:redhat:openstack:17.1 |
|
| Red Hat | Red Hat OpenStack Platform 18.0 |
cpe:/a:redhat:openstack:18.0 |
|
| Red Hat | Red Hat Satellite 6 |
cpe:/a:redhat:satellite:6 |
|
| Red Hat | Red Hat Update Infrastructure 4 for Cloud Providers |
cpe:/a:redhat:rhui:4::el8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-1207",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T16:21:06.022295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T16:21:08.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.5::el8"
],
"defaultStatus": "affected",
"packageName": "python3.12-django",
"product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.2.28-1.el8ap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.5::el9"
],
"defaultStatus": "affected",
"packageName": "python3.12-django",
"product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.2.28-1.el9ap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.6::el9"
],
"defaultStatus": "affected",
"packageName": "python3.12-django",
"product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.2.28-1.el9ap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6.16::el8",
"cpe:/a:redhat:satellite_capsule:6.16::el8"
],
"defaultStatus": "affected",
"packageName": "python-django",
"product": "Red Hat Satellite 6.16 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.2.28-0.1.el8pc",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6.16::el9",
"cpe:/a:redhat:satellite_capsule:6.16::el9"
],
"defaultStatus": "affected",
"packageName": "python-django",
"product": "Red Hat Satellite 6.16 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.2.28-0.1.el9pc",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "foreman",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.14.0.14-1.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "libcomps",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:0.1.23-0.3.el9pc",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "python-brotli",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.2.0-0.1.el9pc",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "python-django",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.2.28-0.1.el9pc",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "python-pulp-container",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.22.3-1.el9pc",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "python-pulp-rpm",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.27.10-2.el9pc",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "rubygem-fog-kubevirt",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.5.1-1.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "rubygem-foreman_kubevirt",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:0.4.3-1.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "rubygem-katello",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.16.0.14-1.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "rubygem-rubyipmi",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:0.13.0-1.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "satellite",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:6.17.7-1.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite_maintenance:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "yggdrasil-worker-forwarder",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:0.0.3-4.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6.18::el9",
"cpe:/a:redhat:satellite_capsule:6.18::el9"
],
"defaultStatus": "affected",
"packageName": "python3.12-django",
"product": "Red Hat Satellite 6.18 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.2.30-1.el9pc",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.5::el8"
],
"defaultStatus": "affected",
"packageName": "ansible-automation-platform-25/lightspeed-rhel8",
"product": "Red Hat Ansible Automation Platform 2.5",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1772214630",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.6::el9"
],
"defaultStatus": "affected",
"packageName": "ansible-automation-platform-26/lightspeed-rhel9",
"product": "Red Hat Ansible Automation Platform 2.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1772552788",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"packageName": "discovery/discovery-server-rhel9",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1770913597",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:satellite:6.18::el9"
],
"defaultStatus": "affected",
"packageName": "satellite/iop-advisor-backend-rhel9",
"product": "Red Hat Satellite 6.18",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1773451075",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-24/de-minimal-rhel8",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-24/de-minimal-rhel9",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-25/de-minimal-rhel8",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-25/de-minimal-rhel9",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-26/de-minimal-rhel9",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"packageName": "automation-controller",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "python-django",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "unaffected",
"packageName": "python-django20",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "unaffected",
"packageName": "python-django",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "unaffected",
"packageName": "python-django",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"packageName": "satellite-capsule:el8/python-django",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhui:4::el8"
],
"defaultStatus": "affected",
"packageName": "python-django",
"product": "Red Hat Update Infrastructure 4 for Cloud Providers",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-03T14:35:33.721Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Django. A remote attacker could inject SQL commands by manipulating the band index parameter during raster lookups on `RasterField` (only implemented on PostGIS). This SQL injection vulnerability could lead to unauthorized information disclosure, data alteration, or denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T01:23:00.336Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-1207"
},
{
"name": "RHBZ#2436338",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436338"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1207.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3959"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:5971"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3958"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:5970"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14835"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3962"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3960"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2694"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6291"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:3959: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:5971: Red Hat Satellite 6.16 for RHEL 8, Red Hat Satellite 6.16 for RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:5970: Red Hat Satellite 6.17 for RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:14835: Red Hat Satellite 6.18 for RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:3962: Red Hat Ansible Automation Platform 2.5"
},
{
"lang": "en",
"value": "RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:2694: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:6291: Red Hat Satellite 6.18"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-03T15:00:58.388Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-03T14:35:33.721Z",
"value": "Made public."
}
],
"title": "Django: Django: SQL Injection via RasterField band index parameter",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "6.0.2",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "6.0.2",
"versionType": "semver"
},
{
"lessThan": "5.2.11",
"status": "affected",
"version": "5.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.2.11",
"versionType": "semver"
},
{
"lessThan": "4.2.28",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.28",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Tarek Nakkouch"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jacob Walls"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jacob Walls"
}
],
"datePublic": "2026-02-03T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003eRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Tarek Nakkouch for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66: SQL Injection"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "high"
},
"type": "Django severity rating"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T14:35:33.721Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-12-19T18:00:00.000Z",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2026-01-26T18:00:00.000Z",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2026-02-03T08:00:00.000Z",
"value": "Security release issued."
}
],
"title": "Potential SQL injection via raster lookups on PostGIS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2026-1207",
"datePublished": "2026-02-03T14:35:33.721Z",
"dateReserved": "2026-01-19T20:14:06.262Z",
"dateUpdated": "2026-07-15T01:23:00.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
usn-8009-1
Vulnerability from osv_ubuntu
It was discovered that Django exposed timing information when checking passwords. An attacker could possibly use this issue to obtain sensitive information. (CVE-2025-13473)
Jiyong Yang discovered that Django incorrectly handled malformed requests with duplicate headers. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)
Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An attacker could possibly use this issue to perform SQL injection attacks. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1207)
Seokchan Yoon discovered that Django incorrectly handled malformed HTML inputs containing a large amount of unmatched HTML end tags. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1285)
Solomon Kebede discovered that Django incorrectly handled control characters in the dictionary expansion of certain QuerySet methods. An attacker could possibly use this issue to perform SQL injection attacks. (CVE-2026-1287)
Solomon Kebede discovered that Django incorrectly handled column alias parsing with dictionary expansion. An attacker could possibly use this issue to perform SQL injection attacks. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-1312)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-13473",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1287",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:14.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "python-django",
"binary_version": "1.6.11-0ubuntu1.3+esm10"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@1.6.11-0ubuntu1.3+esm10?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.11-0ubuntu1.3+esm10"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.4-1ubuntu1",
"1.6-1",
"1.6.1-1",
"1.6.1-2",
"1.6.1-2ubuntu0.1",
"1.6.1-2ubuntu0.2",
"1.6.1-2ubuntu0.3",
"1.6.1-2ubuntu0.4",
"1.6.1-2ubuntu0.5",
"1.6.1-2ubuntu0.6",
"1.6.1-2ubuntu0.8",
"1.6.1-2ubuntu0.9",
"1.6.1-2ubuntu0.10",
"1.6.1-2ubuntu0.11",
"1.6.1-2ubuntu0.12",
"1.6.1-2ubuntu0.13",
"1.6.1-2ubuntu0.14",
"1.6.1-2ubuntu0.15",
"1.6.1-2ubuntu0.16",
"1.6.11-0ubuntu1",
"1.6.11-0ubuntu1.1",
"1.6.11-0ubuntu1.2",
"1.6.11-0ubuntu1.3",
"1.6.11-0ubuntu1.3+esm1",
"1.6.11-0ubuntu1.3+esm2",
"1.6.11-0ubuntu1.3+esm3",
"1.6.11-0ubuntu1.3+esm4",
"1.6.11-0ubuntu1.3+esm5",
"1.6.11-0ubuntu1.3+esm6",
"1.6.11-0ubuntu1.3+esm7",
"1.6.11-0ubuntu1.3+esm8",
"1.6.11-0ubuntu1.3+esm9"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-13473",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1287",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:16.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "python-django",
"binary_version": "1.8.7-1ubuntu5.15+esm11"
},
{
"binary_name": "python-django-common",
"binary_version": "1.8.7-1ubuntu5.15+esm11"
},
{
"binary_name": "python3-django",
"binary_version": "1.8.7-1ubuntu5.15+esm11"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@1.8.7-1ubuntu5.15+esm11?arch=source\u0026distro=esm-infra/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.7-1ubuntu5.15+esm11"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.9-1ubuntu5",
"1.8.5-2ubuntu1",
"1.8.7-1ubuntu1",
"1.8.7-1ubuntu2",
"1.8.7-1ubuntu3",
"1.8.7-1ubuntu4",
"1.8.7-1ubuntu5",
"1.8.7-1ubuntu5.1",
"1.8.7-1ubuntu5.2",
"1.8.7-1ubuntu5.4",
"1.8.7-1ubuntu5.5",
"1.8.7-1ubuntu5.6",
"1.8.7-1ubuntu5.7",
"1.8.7-1ubuntu5.8",
"1.8.7-1ubuntu5.9",
"1.8.7-1ubuntu5.10",
"1.8.7-1ubuntu5.11",
"1.8.7-1ubuntu5.12",
"1.8.7-1ubuntu5.13",
"1.8.7-1ubuntu5.14",
"1.8.7-1ubuntu5.15",
"1.8.7-1ubuntu5.15+esm1",
"1.8.7-1ubuntu5.15+esm3",
"1.8.7-1ubuntu5.15+esm4",
"1.8.7-1ubuntu5.15+esm5",
"1.8.7-1ubuntu5.15+esm6",
"1.8.7-1ubuntu5.15+esm7",
"1.8.7-1ubuntu5.15+esm8",
"1.8.7-1ubuntu5.15+esm9",
"1.8.7-1ubuntu5.15+esm10"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-13473",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1207",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1287",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "python-django",
"binary_version": "1:1.11.11-1ubuntu1.21+esm14"
},
{
"binary_name": "python-django-common",
"binary_version": "1:1.11.11-1ubuntu1.21+esm14"
},
{
"binary_name": "python3-django",
"binary_version": "1:1.11.11-1ubuntu1.21+esm14"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@1:1.11.11-1ubuntu1.21+esm14?arch=source\u0026distro=esm-infra/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.11.11-1ubuntu1.21+esm14"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:1.11.4-1ubuntu1",
"1:1.11.6-1ubuntu1",
"1:1.11.9-1ubuntu1",
"1:1.11.11-1ubuntu1",
"1:1.11.11-1ubuntu1.1",
"1:1.11.11-1ubuntu1.2",
"1:1.11.11-1ubuntu1.3",
"1:1.11.11-1ubuntu1.4",
"1:1.11.11-1ubuntu1.5",
"1:1.11.11-1ubuntu1.6",
"1:1.11.11-1ubuntu1.7",
"1:1.11.11-1ubuntu1.8",
"1:1.11.11-1ubuntu1.9",
"1:1.11.11-1ubuntu1.10",
"1:1.11.11-1ubuntu1.11",
"1:1.11.11-1ubuntu1.12",
"1:1.11.11-1ubuntu1.13",
"1:1.11.11-1ubuntu1.14",
"1:1.11.11-1ubuntu1.15",
"1:1.11.11-1ubuntu1.16",
"1:1.11.11-1ubuntu1.17",
"1:1.11.11-1ubuntu1.18",
"1:1.11.11-1ubuntu1.19",
"1:1.11.11-1ubuntu1.20",
"1:1.11.11-1ubuntu1.21",
"1:1.11.11-1ubuntu1.21+esm1",
"1:1.11.11-1ubuntu1.21+esm2",
"1:1.11.11-1ubuntu1.21+esm3",
"1:1.11.11-1ubuntu1.21+esm4",
"1:1.11.11-1ubuntu1.21+esm5",
"1:1.11.11-1ubuntu1.21+esm6",
"1:1.11.11-1ubuntu1.21+esm7",
"1:1.11.11-1ubuntu1.21+esm8",
"1:1.11.11-1ubuntu1.21+esm9",
"1:1.11.11-1ubuntu1.21+esm10",
"1:1.11.11-1ubuntu1.21+esm11",
"1:1.11.11-1ubuntu1.21+esm12",
"1:1.11.11-1ubuntu1.21+esm13"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-13473",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1207",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1287",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "python3-django",
"binary_version": "2:2.2.12-1ubuntu0.29+esm7"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@2:2.2.12-1ubuntu0.29+esm7?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.2.12-1ubuntu0.29+esm7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:1.11.22-1ubuntu1",
"2:2.2.6-1ubuntu1",
"2:2.2.9-2ubuntu1",
"2:2.2.10-1",
"2:2.2.10-1ubuntu1",
"2:2.2.11-1",
"2:2.2.12-1",
"2:2.2.12-1ubuntu0.1",
"2:2.2.12-1ubuntu0.2",
"2:2.2.12-1ubuntu0.3",
"2:2.2.12-1ubuntu0.4",
"2:2.2.12-1ubuntu0.5",
"2:2.2.12-1ubuntu0.6",
"2:2.2.12-1ubuntu0.7",
"2:2.2.12-1ubuntu0.8",
"2:2.2.12-1ubuntu0.9",
"2:2.2.12-1ubuntu0.10",
"2:2.2.12-1ubuntu0.11",
"2:2.2.12-1ubuntu0.12",
"2:2.2.12-1ubuntu0.13",
"2:2.2.12-1ubuntu0.14",
"2:2.2.12-1ubuntu0.15",
"2:2.2.12-1ubuntu0.16",
"2:2.2.12-1ubuntu0.17",
"2:2.2.12-1ubuntu0.18",
"2:2.2.12-1ubuntu0.19",
"2:2.2.12-1ubuntu0.20",
"2:2.2.12-1ubuntu0.21",
"2:2.2.12-1ubuntu0.22",
"2:2.2.12-1ubuntu0.23",
"2:2.2.12-1ubuntu0.24",
"2:2.2.12-1ubuntu0.25",
"2:2.2.12-1ubuntu0.26",
"2:2.2.12-1ubuntu0.27",
"2:2.2.12-1ubuntu0.28",
"2:2.2.12-1ubuntu0.29",
"2:2.2.12-1ubuntu0.29+esm1",
"2:2.2.12-1ubuntu0.29+esm2",
"2:2.2.12-1ubuntu0.29+esm3",
"2:2.2.12-1ubuntu0.29+esm4",
"2:2.2.12-1ubuntu0.29+esm5",
"2:2.2.12-1ubuntu0.29+esm6"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-13473",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-14550",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1207",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1287",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "python3-django",
"binary_version": "2:3.2.12-2ubuntu1.25"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@2:3.2.12-2ubuntu1.25?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:3.2.12-2ubuntu1.25"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:2.2.24-1ubuntu1",
"2:3.2.12-2",
"2:3.2.12-2ubuntu1",
"2:3.2.12-2ubuntu1.1",
"2:3.2.12-2ubuntu1.2",
"2:3.2.12-2ubuntu1.3",
"2:3.2.12-2ubuntu1.4",
"2:3.2.12-2ubuntu1.5",
"2:3.2.12-2ubuntu1.6",
"2:3.2.12-2ubuntu1.7",
"2:3.2.12-2ubuntu1.8",
"2:3.2.12-2ubuntu1.9",
"2:3.2.12-2ubuntu1.10",
"2:3.2.12-2ubuntu1.11",
"2:3.2.12-2ubuntu1.12",
"2:3.2.12-2ubuntu1.13",
"2:3.2.12-2ubuntu1.14",
"2:3.2.12-2ubuntu1.15",
"2:3.2.12-2ubuntu1.16",
"2:3.2.12-2ubuntu1.17",
"2:3.2.12-2ubuntu1.18",
"2:3.2.12-2ubuntu1.19",
"2:3.2.12-2ubuntu1.20",
"2:3.2.12-2ubuntu1.21",
"2:3.2.12-2ubuntu1.22",
"2:3.2.12-2ubuntu1.23",
"2:3.2.12-2ubuntu1.24"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-13473",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-14550",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1207",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1287",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1312",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "python3-django",
"binary_version": "3:4.2.11-1ubuntu1.14"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@3:4.2.11-1ubuntu1.14?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:4.2.11-1ubuntu1.14"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3:4.2.4-1ubuntu2",
"3:4.2.8-1",
"3:4.2.9-1",
"3:4.2.11-1",
"3:4.2.11-1ubuntu1",
"3:4.2.11-1ubuntu1.1",
"3:4.2.11-1ubuntu1.2",
"3:4.2.11-1ubuntu1.3",
"3:4.2.11-1ubuntu1.4",
"3:4.2.11-1ubuntu1.5",
"3:4.2.11-1ubuntu1.6",
"3:4.2.11-1ubuntu1.7",
"3:4.2.11-1ubuntu1.8",
"3:4.2.11-1ubuntu1.9",
"3:4.2.11-1ubuntu1.10",
"3:4.2.11-1ubuntu1.11",
"3:4.2.11-1ubuntu1.12",
"3:4.2.11-1ubuntu1.13"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2025-13473",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2025-14550",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1207",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1285",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1287",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-1312",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:25.10"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "python3-django",
"binary_version": "3:5.2.4-1ubuntu2.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@3:5.2.4-1ubuntu2.3?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:5.2.4-1ubuntu2.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3:4.2.18-1ubuntu1",
"3:4.2.18-1ubuntu1.1",
"3:5.2.4-1",
"3:5.2.4-1ubuntu1",
"3:5.2.4-1ubuntu2",
"3:5.2.4-1ubuntu2.1",
"3:5.2.4-1ubuntu2.2"
]
}
],
"aliases": [],
"details": "It was discovered that Django exposed timing information when checking\npasswords. An attacker could possibly use this issue to obtain sensitive\ninformation. (CVE-2025-13473)\n\nJiyong Yang discovered that Django incorrectly handled malformed requests\nwith duplicate headers. An attacker could possibly use this issue to cause\na denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu\n24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)\n\nTarek Nakkouch discovered that Django incorrectly parsed raster lookups. An\nattacker could possibly use this issue to perform SQL injection attacks.\nThis issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04\nLTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1207)\n\nSeokchan Yoon discovered that Django incorrectly handled malformed HTML\ninputs containing a large amount of unmatched HTML end tags. An attacker\ncould possibly use this issue to cause a denial of service. This issue only\naffected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04\nLTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1285)\n\nSolomon Kebede discovered that Django incorrectly handled control\ncharacters in the dictionary expansion of certain QuerySet methods. An\nattacker could possibly use this issue to perform SQL injection attacks.\n(CVE-2026-1287)\n\nSolomon Kebede discovered that Django incorrectly handled column alias\nparsing with dictionary expansion. An attacker could possibly use this\nissue to perform SQL injection attacks. This issue only affected Ubuntu\n24.04 LTS and Ubuntu 25.10. (CVE-2026-1312)",
"id": "USN-8009-1",
"modified": "2026-06-30T15:54:46Z",
"published": "2026-02-03T16:06:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8009-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-13473"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2025-14550"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-1207"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-1285"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-1287"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-1312"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "python-django vulnerabilities",
"upstream": [
"UBUNTU-CVE-2025-13473",
"UBUNTU-CVE-2025-14550",
"UBUNTU-CVE-2026-1207",
"UBUNTU-CVE-2026-1285",
"UBUNTU-CVE-2026-1287",
"UBUNTU-CVE-2026-1312"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.