All Django CVEs — Complete Vulnerability History
Django releases security patches regularly — usually every 4-8 weeks. The Django team has an excellent security disclosure process and clear upgrade paths. Most CVEs are ReDoS, XSS, or open redirect issues rather than critical RCE.
PyPI
15M+ weekly downloads
8 CVEs total
3 CRITICAL
CVE history — all 8 known vulnerabilities
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2021-45115 | 2021 | HIGH | DoS via UserAttributeSimilarityValidator | Fixed in 3.2.11 |
| CVE-2021-45116 | 2021 | MEDIUM | Information disclosure via dictsort template filter | Fixed in 3.2.11 |
| CVE-2022-28346 | 2022 | CRITICAL | SQL injection via QuerySet.annotate, aggregate, extra | Fixed in 3.2.13 |
| CVE-2022-28347 | 2022 | CRITICAL | SQL injection via QuerySet.explain | Fixed in 3.2.13 |
| CVE-2022-36359 | 2022 | HIGH | Open redirect in FileResponse | Fixed in 3.2.15 |
| CVE-2023-24580 | 2023 | HIGH | DoS via multipart request parsing | Fixed in 4.1.7 |
| CVE-2023-31047 | 2023 | CRITICAL | Upload validation bypass via FileField | Fixed in 4.2.1 |
| CVE-2024-27351 | 2024 | HIGH | ReDoS in strip_tags HTML sanitizer | Fixed in 4.2.13 |
Current safe version
✓ Update to 4.2.13
The latest safe version addresses all 8 known CVEs listed above.
Before and after
Vulnerable:
Django==3.2.0
Fixed:
Django==4.2.13
Then run: pip install -r requirements.txt
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
How often does Django release security patches?
Roughly every 4-8 weeks. The Django team maintains a security mailing list (django-security-announce) and publishes advisories at docs.djangoproject.com/en/dev/releases/security. Subscribe to stay informed.
What are the most serious Django CVEs?
The 2022 SQL injection CVEs (CVE-2022-28346 and CVE-2022-28347) were the most severe — CRITICAL severity, affecting QuerySet methods used in almost all Django apps. Any app on Django < 3.2.13 that uses annotate, aggregate, extra, or explain with user input is vulnerable.
Is Django 3.2 still receiving security patches?
Django 3.2 is end-of-life as of April 2024. You should be on Django 4.2 LTS (supported until April 2026) or Django 5.0+. Django 3.2 no longer receives security fixes — any new CVE discovered won't be patched.
How do I check my Django version?
Run python -m django --version. Or paste your requirements.txt into PackageFix — it will show your installed Django version and flag any unpatched CVEs.