Skip to content

Commit 74d9069

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-mmwr-2jhp-mc7j GHSA-mvfq-ggxm-9mc5 GHSA-pwjp-ccjc-ghwg GHSA-mmwr-2jhp-mc7j GHSA-mvfq-ggxm-9mc5 GHSA-pwjp-ccjc-ghwg
1 parent f545ca5 commit 74d9069

6 files changed

Lines changed: 321 additions & 127 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-mmwr-2jhp-mc7j/GHSA-mmwr-2jhp-mc7j.json

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mmwr-2jhp-mc7j",
4+
"modified": "2026-04-08T15:40:25Z",
5+
"published": "2026-04-07T15:30:52Z",
6+
"aliases": [
7+
"CVE-2026-4292"
8+
],
9+
"summary": "Django vulnerable to privilege abuse in ModelAdmin.list_editable",
10+
"details": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data.\n\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0"
29+
},
30+
{
31+
"fixed": "6.0.4"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2"
48+
},
49+
{
50+
"fixed": "5.2.13"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2"
67+
},
68+
{
69+
"fixed": "4.2.30"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4292"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/django/django"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://groups.google.com/g/django-announce"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases"
96+
}
97+
],
98+
"database_specific": {
99+
"cwe_ids": [
100+
"CWE-862"
101+
],
102+
"severity": "LOW",
103+
"github_reviewed": true,
104+
"github_reviewed_at": "2026-04-08T15:40:25Z",
105+
"nvd_published_at": "2026-04-07T15:17:46Z"
106+
}
107+
}

advisories/github-reviewed/2026/04/GHSA-mvfq-ggxm-9mc5/GHSA-mvfq-ggxm-9mc5.json

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mvfq-ggxm-9mc5",
4+
"modified": "2026-04-08T15:39:55Z",
5+
"published": "2026-04-07T15:30:52Z",
6+
"aliases": [
7+
"CVE-2026-3902"
8+
],
9+
"summary": "Django vulnerable to ASGI header spoofing via underscore/hyphen conflation",
10+
"details": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\n\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0"
29+
},
30+
{
31+
"fixed": "6.0.4"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2"
48+
},
49+
{
50+
"fixed": "5.2.13"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2"
67+
},
68+
{
69+
"fixed": "4.2.30"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3902"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/django/django"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://groups.google.com/g/django-announce"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases"
96+
}
97+
],
98+
"database_specific": {
99+
"cwe_ids": [
100+
"CWE-290"
101+
],
102+
"severity": "HIGH",
103+
"github_reviewed": true,
104+
"github_reviewed_at": "2026-04-08T15:39:55Z",
105+
"nvd_published_at": "2026-04-07T15:17:46Z"
106+
}
107+
}

advisories/github-reviewed/2026/04/GHSA-pwjp-ccjc-ghwg/GHSA-pwjp-ccjc-ghwg.json

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-pwjp-ccjc-ghwg",
4+
"modified": "2026-04-08T15:40:11Z",
5+
"published": "2026-04-07T15:30:52Z",
6+
"aliases": [
7+
"CVE-2026-4277"
8+
],
9+
"summary": "Django vulnerable to privilege abuse in GenericInlineModelAdmin",
10+
"details": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`.\n\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank N05ec@LZU-DSLab for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0"
29+
},
30+
{
31+
"fixed": "6.0.4"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2"
48+
},
49+
{
50+
"fixed": "5.2.13"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2"
67+
},
68+
{
69+
"fixed": "4.2.30"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4277"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/django/django"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://groups.google.com/g/django-announce"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases"
96+
}
97+
],
98+
"database_specific": {
99+
"cwe_ids": [
100+
"CWE-862"
101+
],
102+
"severity": "LOW",
103+
"github_reviewed": true,
104+
"github_reviewed_at": "2026-04-08T15:40:11Z",
105+
"nvd_published_at": "2026-04-07T15:17:46Z"
106+
}
107+
}

advisories/unreviewed/2026/04/GHSA-mmwr-2jhp-mc7j/GHSA-mmwr-2jhp-mc7j.json

Lines changed: 0 additions & 44 deletions
This file was deleted.

0 commit comments

Comments
 (0)