CVE-2025-13473

Medium CVSS: 5.3

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.

Vendor

Djangoproject

Product

Django

CWE

CWE-208

Yayın Tarihi

2026-02-03 15:16:11

Güncelleme

2026-02-04 17:10:36

Source Identifier

6a34fbeb-21d4-45e7-8e0a-62b95bc12c92

KEV Date Added

Kategoriler

CWE-208 Django MEDIUM Djangoproject 2026

Referanslar

https://docs.djangoproject.com/en/dev/releases/security/ https://groups.google.com/g/django-announce https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

Benzer Kayıtlar

High

CVE-2026-25673

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django…

Low

CVE-2026-25674

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system sto…

Medium

CVE-2026-1207

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField``…

High

CVE-2026-1285

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.char…

Medium

CVE-2026-1287

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to…

Medium

CVE-2026-1312

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject…