| Package | python-django |
|---|---|
| Version | 1:1.10.7-2+deb9u30 (stretch), 1:1.11.29-1+deb10u19 (buster) |
| Related CVEs | CVE-2025-13473 CVE-2026-1207 CVE-2026-1285 CVE-2026-1287 CVE-2026-1312 |
It was discovered that there were multiple vulnerabilities in Django, the Python-based web-development framework:
-
CVE-2025-13473: The
check_passwordfunction indjango.contrib.auth.handlers.modwsgifor authentication viamod_wsgiallowed remote attackers to enumerate users via a timing attack. -
CVE-2026-1207: Raster lookups on
RasterField(only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter. -
CVE-2026-1285: The
django.utils.text.Truncator.chars()andTruncator.words()methods (withhtml=True) and thetruncatechars_htmlandtruncatewords_htmltemplate filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. -
CVE-2026-1287:
FilteredRelationwas subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the**kwargspassed toQuerySetmethodsannotate(),aggregate(),extra(),values(),values_list()andalias(). -
CVE-2026-1312:
QuerySet.order_by()was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used inFilteredRelation.
In addition, The fix for CVE-2025-6069 in the python3.9 source package which modified the html.parser.HTMLParser class in such a way that changed the behaviour of Django’s strip_tags() method in some edge cases that were tested by Django’s testsuite. As a result of this regression, we have updated the testsuite for the new expected results.
For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u19.
For Debian 9 stretch, these problems have been fixed in version 1:1.10.7-2+deb9u30.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.