Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Debian 11 python-django Moderate Security Flaws DLA-4484-1 CVE-2025-13473

debian lts
Calendar Grey February 19, 2026
Dist Debian Esm H88
Explore the important security update for python-django addressing multiple vulnerabilities. Upgrade recommended.

Summary

- - CVE-2025-13473: The check_password function in
django.contrib.auth.handlers.modwsgi for authentication via
mod_wsgi allowed remote attackers to enumerate users via a timing
attack.

- - CVE-2026-1207: Raster lookups on RasterField (only implemented on
PostGIS) allowed remote attackers to inject SQL via the band index
parameter.

- - CVE-2026-1285: The django.utils.text.Truncator.chars() and
Truncator.words() methods (with html=True) and the
truncatechars_html and truncatewords_html template filters allowed
a remote attacker to cause a potential denial-of-service via
crafted inputs containing a large number of unmatched HTML end
tags.

- - CVE-2026-1287: FilteredRelation was subject to SQL injection in
column aliases via control characters using a suitably crafted
dictionary, with dictionary expansion, as the **kwargs passed to
QuerySet methods annotate(), aggregate(), extra(), values(),
values_list() and alias().

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Package: python-django
Version: 2:2.2.28-1~deb11u12

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here