CVE Dashboard

Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.

💡 Remediation: Upgrade to version 5.2.8 or later

Django SQL injection vulnerability

💡 Remediation: Upgrade to version 5.0.8 or later

Arbitrary Code Execution in Pillow

💡 Remediation: Upgrade to version 10.2.0 or later

Requests vulnerable to .netrc credentials leak via malicious URLs

💡 Remediation: Upgrade to version 2.32.4 or later

Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters

💡 Remediation: Upgrade to version 5.1.1 or later

Django has potential DoS via MultiPartParser through crafted multipart uploads

💡 Remediation: Upgrade to version 6.0.4 or later

Django has an SQL Injection issue

💡 Remediation: Upgrade to version 6.0.2 or later

Django is subject to SQL injection through its column aliases

💡 Remediation: Upgrade to version 4.2.24 or later

Django vulnerable to a denial-of-service attack

💡 Remediation: Upgrade to version 5.0.8 or later

Django Improper Output Neutralization for Logs vulnerability

💡 Remediation: Upgrade to version 5.2.2 or later

Django denial-of-service in django.utils.html.strip_tags()

💡 Remediation: Upgrade to version 5.1.4 or later

Django has a denial-of-service possibility in strip_tags()

💡 Remediation: Upgrade to version 4.2.21 or later

Django vulnerable to Uncontrolled Resource Consumption

💡 Remediation: Upgrade to version 6.0.3 or later

Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit

💡 Remediation: Upgrade to version 6.0.4 or later

Django Path Traversal vulnerability

💡 Remediation: Upgrade to version 5.0.7 or later

Django vulnerable to Denial of Service

💡 Remediation: Upgrade to version 5.0.7 or later

Django has an SQL Injection issue

💡 Remediation: Upgrade to version 6.0.2 or later

Django Denial-of-service in django.utils.text.Truncator

💡 Remediation: Upgrade to version 3.2.22 or later

Django vulnerable to SQL injection in column aliases

💡 Remediation: Upgrade to version 4.2.25 or later

Django memory consumption vulnerability

💡 Remediation: Upgrade to version 5.0.8 or later

Django SQL injection in HasKey(lhs, rhs) on Oracle

💡 Remediation: Upgrade to version 5.0.10 or later

Django vulnerable to ASGI header spoofing via underscore/hyphen conflation

💡 Remediation: Upgrade to version 6.0.4 or later

Django has an SQL Injection issue

💡 Remediation: Upgrade to version 6.0.2 or later

Django vulnerable to Allocation of Resources Without Limits or Throttling

💡 Remediation: Upgrade to version 4.2.20 or later

Django has a potential denial-of-service vulnerability in IPv6 validation

💡 Remediation: Upgrade to version 5.1.5 or later

Django vulnerable to Denial of Service

💡 Remediation: Upgrade to version 4.2.14 or later

Django potential denial of service vulnerability in UsernameField on Windows

💡 Remediation: Upgrade to version 3.2.23 or later

Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows

💡 Remediation: Upgrade to version 5.2.8 or later

Django vulnerable to denial-of-service attack

💡 Remediation: Upgrade to version 5.0.8 or later

Django is vulnerable to SQL injection in column aliases

💡 Remediation: Upgrade to version 5.2.9 or later

Django allows enumeration of user e-mail addresses

💡 Remediation: Upgrade to version 5.1.1 or later

Regular expression denial-of-service in Django

💡 Remediation: Upgrade to version 3.2.25 or later

Django is vulnerable to DoS via XML serializer text extraction

💡 Remediation: Upgrade to version 5.2.9 or later

Django vulnerable to user enumeration attack

💡 Remediation: Upgrade to version 5.0.7 or later

Django denial-of-service attack in the intcomma template filter

💡 Remediation: Upgrade to version 3.2.24 or later

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

💡 Remediation: Upgrade to version 4.2.27 or later

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

💡 Remediation: Upgrade to version 4.2.24 or later

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

💡 Remediation: Upgrade to version 4.2.25 or later

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may al

💡 Remediation: Upgrade to version 4.2.26 or later

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

💡 Remediation: Upgrade to version 4.2.26 or later

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon

💡 Remediation: Upgrade to version 4.2.27 or later

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

💡 Remediation: Upgrade to version 4.2.28 or later

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

💡 Remediation: Upgrade to version 4.2.28 or later

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

💡 Remediation: Upgrade to version 4.2.28 or later

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Dja

💡 Remediation: Upgrade to version 4.2.28 or later

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would li

💡 Remediation: Upgrade to version 4.2.28 or later

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

💡 Remediation: Upgrade to version 4.2.28 or later

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

💡 Remediation: Upgrade to version 4.2.30 or later

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

💡 Remediation: Upgrade to version 4.2.30 or later

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

💡 Remediation: Upgrade to version 4.2.30 or later

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

💡 Remediation: Upgrade to version 4.2.30 or later

Pillow buffer overflow vulnerability

💡 Remediation: Upgrade to version 10.3.0 or later

libwebp: OOB write in BuildHuffmanTable

💡 Remediation: Upgrade to version 0.1.8 or later

Python Cryptography package vulnerable to Bleichenbacher timing oracle attack

💡 Remediation: Upgrade to version 42.0.0 or later

cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override

💡 Remediation: Upgrade to version 42.0.4 or later

cryptography vulnerable to NULL-dereference when loading PKCS7 certificates

💡 Remediation: Upgrade to version 41.0.6 or later

cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

💡 Remediation: Upgrade to version 46.0.5 or later

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been

💡 Remediation: Upgrade to version f09c261ca10a31fe41b1262306db7f8f1da0e48a or later

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been res

💡 Remediation: Upgrade to version 97d231672763cdb5959a3b191e692a362f1b9e55 or later

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for b

💡 Remediation: Upgrade to version 46.0.6 or later

urllib3 streaming API improperly handles highly compressed data

💡 Remediation: Upgrade to version 2.6.0 or later

Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)

💡 Remediation: Upgrade to version 2.6.3 or later

urllib3 allows an unbounded number of links in the decompression chain

💡 Remediation: Upgrade to version 2.6.0 or later

urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation

💡 Remediation: Upgrade to version 2.5.0 or later

urllib3: Sensitive headers forwarded across origins in proxied low-level redirects

💡 Remediation: Upgrade to version 2.7.0 or later

`Cookie` HTTP header isn't stripped on cross-origin redirects

💡 Remediation: Upgrade to version 2.0.6 or later

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

💡 Remediation: Upgrade to version 644124ecd0b6e417c527191f866daa05a5a2056d or later

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

💡 Remediation: Upgrade to version 2.7.0 or later

Flask session does not add `Vary: Cookie` header when accessed in some ways

💡 Remediation: Upgrade to version 3.1.3 or later

Django has Observable Timing Discrepancy

💡 Remediation: Upgrade to version 6.0.2 or later

Django has Inefficient Algorithmic Complexity

💡 Remediation: Upgrade to version 6.0.2 or later

Django has Inefficient Algorithmic Complexity

💡 Remediation: Upgrade to version 6.0.2 or later

Django has a Race Condition vulnerability

💡 Remediation: Upgrade to version 6.0.3 or later

Django vulnerable to privilege abuse in ModelAdmin.list_editable

💡 Remediation: Upgrade to version 6.0.4 or later

Django vulnerable to privilege abuse in GenericInlineModelAdmin

💡 Remediation: Upgrade to version 6.0.4 or later

Django vulnerable to partial directory traversal via archives

💡 Remediation: Upgrade to version 4.2.25 or later

cryptography has incomplete DNS name constraint enforcement on peer names

💡 Remediation: Upgrade to version 46.0.6 or later

Vulnerable OpenSSL included in cryptography wheels

💡 Remediation: Upgrade to version 41.0.4 or later

Requests `Session` object does not verify requests after making first request with verify=False

💡 Remediation: Upgrade to version 2.32.0 or later

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

💡 Remediation: Upgrade to version 2.33.0 or later

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

💡 Remediation: Upgrade to version 3.2.23 or later

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-1

💡 Remediation: Upgrade to version 3.2.22 or later

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

💡 Remediation: Upgrade to version 5.1.1 or later

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.

💡 Remediation: Upgrade to version 5.1.4 or later

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

💡 Remediation: Upgrade to version 5.1.4 or later

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

💡 Remediation: Upgrade to version 3.2.24 or later

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

💡 Remediation: Upgrade to version 3.2.25 or later

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.

💡 Remediation: Upgrade to version 4.2.14 or later

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

💡 Remediation: Upgrade to version 5.0.7 or later

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

💡 Remediation: Upgrade to version 5.0.7 or later

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

💡 Remediation: Upgrade to version 5.0.7 or later

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

💡 Remediation: Upgrade to version 5.0.8 or later

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

💡 Remediation: Upgrade to version 5.0.8 or later

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

💡 Remediation: Upgrade to version 5.0.8 or later

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

💡 Remediation: Upgrade to version 5.0.8 or later

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)

💡 Remediation: Upgrade to version 5.1.5 or later

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.

💡 Remediation: Upgrade to version 5.1.7 or later

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

💡 Remediation: Upgrade to version 4.2.21 or later

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

💡 Remediation: Upgrade to version 5.2.2 or later

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

💡 Remediation: Upgrade to version 4.2.30 or later

Pillow has a PDF Parsing Trailer Infinite Loop (DoS)

💡 Remediation: Upgrade to version 12.2.0 or later

Pillow has an integer overflow when processing fonts

💡 Remediation: Upgrade to version 12.2.0 or later

Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

💡 Remediation: Upgrade to version 10.0.1 or later

Null pointer dereference in PKCS12 parsing

💡 Remediation: Upgrade to version 42.0.2 or later

pyca/cryptography has a vulnerable OpenSSL included in cryptography wheels

💡 Remediation: Upgrade to version 43.0.1 or later

urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects

💡 Remediation: Upgrade to version 1.26.19 or later

urllib3's request body not stripped after redirect from 303 status changes request method to GET

💡 Remediation: Upgrade to version 2.0.7 or later

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other

💡 Remediation: Upgrade to version 4e98d57809dacab1cbe625fddeec1a290c478ea9 or later