Affected versions of this package are vulnerable to a Buffer Overflow when saving sufficiently large compressed DDS images (>64KB with default settings). The DDS encoding functionality fails to perform bounds checking when writing to the destination buffer, leading to a heap buffer overflow condition. This vulnerability was introduced in Pillow 11.2.0 when BCn compression support for DDS format was added.

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

Affected versions of the Django package are vulnerable to SQL Injection due to insufficient input sanitization in FilteredRelation column aliases. The FilteredRelation class fails to properly validate or escape column alias names when they are provided through dictionary expansion as keyword arguments to QuerySet.annotate() or QuerySet.alias() methods, allowing malicious SQL code to be injected directly into the generated database queries.

Affected versions of the Django package are vulnerable to SQL Injection due to insufficient neutralization of user-controlled column alias names provided via dictionary expansion. The QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods accept **kwargs whose keys are used as column aliases, and on MySQL and MariaDB, those identifiers are not safely quoted, permitting crafted input to be incorporated into the generated SQL.

CVE-2025-64458: Affected versions of the Django package are vulnerable to Denial of Service (DoS) due to slow Unicode NFKC normalization on Windows being applied to untrusted inputs. The django.contrib.auth.views.LoginView and django.contrib.auth.views.LogoutView, and django.views.i18n.set_language normalize user-controlled strings using Python’s NFKC algorithm, which is unusually slow on Windows for huge Unicode sequences and can be triggered to consume excessive CPU.

CVE-2025-64459: Affected versions of the Django package are vulnerable to SQL Injection due to improper input validation, allowing the internal _connector keyword argument to be accepted from untrusted dictionaries via expansion. The .filter(), .exclude(), and .get() methods on QuerySet, as well as the Q class, resolve **kwargs and will treat a supplied _connector value as the logical connector without constraining it to the expected set (AND/OR), permitting attacker-controlled tokens to influence SQL predicate construction.

Affected versions of the Django package are vulnerable to Path Traversal due to improper validation of archive member paths during extraction. The django.utils.archive.extract() function—used by the startapp --template and startproject --template commands—checked path prefixes instead of using canonicalised paths, allowing archive entries whose names share a prefix with the destination to resolve outside the intended directory.

Affected versions of this package are vulnerable to a Buffer Overflow when saving sufficiently large compressed DDS images (>64KB with default settings). The DDS encoding functionality fails to perform bounds checking when writing to the destination buffer, leading to a heap buffer overflow condition. This vulnerability was introduced in Pillow 11.2.0 when BCn compression support for DDS format was added.

Affected versions of this package are vulnerable to a Buffer Overflow when saving sufficiently large compressed DDS images (>64KB with default settings). The DDS encoding functionality fails to perform bounds checking when writing to the destination buffer, leading to a heap buffer overflow condition. This vulnerability was introduced in Pillow 11.2.0 when BCn compression support for DDS format was added.

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

Affected versions of the Django package are vulnerable to SQL Injection due to insufficient input sanitization in FilteredRelation column aliases. The FilteredRelation class fails to properly validate or escape column alias names when they are provided through dictionary expansion as keyword arguments to QuerySet.annotate() or QuerySet.alias() methods, allowing malicious SQL code to be injected directly into the generated database queries.

Affected versions of the Django package are vulnerable to SQL Injection due to insufficient neutralization of user-controlled column alias names provided via dictionary expansion. The QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods accept **kwargs whose keys are used as column aliases, and on MySQL and MariaDB, those identifiers are not safely quoted, permitting crafted input to be incorporated into the generated SQL.

CVE-2025-64458: Affected versions of the Django package are vulnerable to Denial of Service (DoS) due to slow Unicode NFKC normalization on Windows being applied to untrusted inputs. The django.contrib.auth.views.LoginView and django.contrib.auth.views.LogoutView, and django.views.i18n.set_language normalize user-controlled strings using Python’s NFKC algorithm, which is unusually slow on Windows for huge Unicode sequences and can be triggered to consume excessive CPU.

CVE-2025-64459: Affected versions of the Django package are vulnerable to SQL Injection due to improper input validation, allowing the internal _connector keyword argument to be accepted from untrusted dictionaries via expansion. The .filter(), .exclude(), and .get() methods on QuerySet, as well as the Q class, resolve **kwargs and will treat a supplied _connector value as the logical connector without constraining it to the expected set (AND/OR), permitting attacker-controlled tokens to influence SQL predicate construction.

Affected versions of the Django package are vulnerable to Path Traversal due to improper validation of archive member paths during extraction. The django.utils.archive.extract() function—used by the startapp --template and startproject --template commands—checked path prefixes instead of using canonicalised paths, allowing archive entries whose names share a prefix with the destination to resolve outside the intended directory.

Affected versions of this package are vulnerable to a Buffer Overflow when saving sufficiently large compressed DDS images (>64KB with default settings). The DDS encoding functionality fails to perform bounds checking when writing to the destination buffer, leading to a heap buffer overflow condition. This vulnerability was introduced in Pillow 11.2.0 when BCn compression support for DDS format was added.

Affected versions of this package are vulnerable to a Buffer Overflow when saving sufficiently large compressed DDS images (>64KB with default settings). The DDS encoding functionality fails to perform bounds checking when writing to the destination buffer, leading to a heap buffer overflow condition. This vulnerability was introduced in Pillow 11.2.0 when BCn compression support for DDS format was added.

Affected versions of this package are vulnerable to a Buffer Overflow when saving sufficiently large compressed DDS images (>64KB with default settings). The DDS encoding functionality fails to perform bounds checking when writing to the destination buffer, leading to a heap buffer overflow condition. This vulnerability was introduced in Pillow 11.2.0 when BCn compression support for DDS format was added.

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

Affected versions of the Django package are vulnerable to SQL Injection due to insufficient input sanitization in FilteredRelation column aliases. The FilteredRelation class fails to properly validate or escape column alias names when they are provided through dictionary expansion as keyword arguments to QuerySet.annotate() or QuerySet.alias() methods, allowing malicious SQL code to be injected directly into the generated database queries.

Affected versions of the Django package are vulnerable to SQL Injection due to insufficient neutralization of user-controlled column alias names provided via dictionary expansion. The QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods accept **kwargs whose keys are used as column aliases, and on MySQL and MariaDB, those identifiers are not safely quoted, permitting crafted input to be incorporated into the generated SQL.

CVE-2025-64458: Affected versions of the Django package are vulnerable to Denial of Service (DoS) due to slow Unicode NFKC normalization on Windows being applied to untrusted inputs. The django.contrib.auth.views.LoginView and django.contrib.auth.views.LogoutView, and django.views.i18n.set_language normalize user-controlled strings using Python’s NFKC algorithm, which is unusually slow on Windows for huge Unicode sequences and can be triggered to consume excessive CPU.

CVE-2025-64459: Affected versions of the Django package are vulnerable to SQL Injection due to improper input validation, allowing the internal _connector keyword argument to be accepted from untrusted dictionaries via expansion. The .filter(), .exclude(), and .get() methods on QuerySet, as well as the Q class, resolve **kwargs and will treat a supplied _connector value as the logical connector without constraining it to the expected set (AND/OR), permitting attacker-controlled tokens to influence SQL predicate construction.

Affected versions of the Django package are vulnerable to Path Traversal due to improper validation of archive member paths during extraction. The django.utils.archive.extract() function—used by the startapp --template and startproject --template commands—checked path prefixes instead of using canonicalised paths, allowing archive entries whose names share a prefix with the destination to resolve outside the intended directory.

Affected versions of this package are vulnerable to a Buffer Overflow when saving sufficiently large compressed DDS images (>64KB with default settings). The DDS encoding functionality fails to perform bounds checking when writing to the destination buffer, leading to a heap buffer overflow condition. This vulnerability was introduced in Pillow 11.2.0 when BCn compression support for DDS format was added.

Affected versions of this package are vulnerable to a Buffer Overflow when saving sufficiently large compressed DDS images (>64KB with default settings). The DDS encoding functionality fails to perform bounds checking when writing to the destination buffer, leading to a heap buffer overflow condition. This vulnerability was introduced in Pillow 11.2.0 when BCn compression support for DDS format was added.