SB20260213120 - openEuler 24.03 LTS SP2 update for python-django 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260213120

SB20260213120 - openEuler 24.03 LTS SP2 update for python-django

Published: February 13, 2026

Security Bulletin ID SB20260213120
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 50% Medium 33% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2025-13473)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to timing difference in the mod_wsgi authentication handler within the django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi. A remote attacker can enumerate existing usernames.


2) Resource exhaustion (CVE-ID: CVE-2025-14550)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when using ASGIRequest. A remote attacker can send multiple requests with duplicated HTTP headers to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.


3) SQL injection (CVE-ID: CVE-2026-1207)

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed as a band index to raster lookups on GIS fields (only implemented on PostGIS). A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


4) Resource exhaustion (CVE-ID: CVE-2026-1285)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and truncatechars_html and truncatewords_html template filters. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) SQL injection (CVE-ID: CVE-2026-1287)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list(), and alias().. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


6) SQL injection (CVE-ID: CVE-2026-1312)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the QuerySet.order_by() method. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


Remediation

Install update from vendor's website.

References