Packages
- python-django - High-level Python web development framework
Details
It was discovered that Django exposed timing information when checking
passwords. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-13473)
Jiyong Yang discovered that Django incorrectly handled malformed requests
with duplicate headers. An attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)
Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An
attacker could possibly use this issue to perform SQL injection attacks.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1207)
Seokchan Yoon discovered that Django incorrectly handled malformed HTML
inputs containing a large...
It was discovered that Django exposed timing information when checking
passwords. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-13473)
Jiyong Yang discovered that Django incorrectly handled malformed requests
with duplicate headers. An attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)
Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An
attacker could possibly use this issue to perform SQL injection attacks.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1207)
Seokchan Yoon discovered that Django incorrectly handled malformed HTML
inputs containing a large amount of unmatched HTML end tags. An attacker
could possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1285)
Solomon Kebede discovered that Django incorrectly handled control
characters in the dictionary expansion of certain QuerySet methods. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2026-1287)
Solomon Kebede discovered that Django incorrectly handled column alias
parsing with dictionary expansion. An attacker could possibly use this
issue to perform SQL injection attacks. This issue only affected Ubuntu
24.04 LTS and Ubuntu 25.10. (CVE-2026-1312)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 25.10 questing | python3-django – 3:5.2.4-1ubuntu2.3 | ||
| 24.04 LTS noble | python3-django – 3:4.2.11-1ubuntu1.14 | ||
| 22.04 LTS jammy | python3-django – 2:3.2.12-2ubuntu1.25 | ||
| 20.04 LTS focal | python3-django – 2:2.2.12-1ubuntu0.29+esm7 | ||
| 18.04 LTS bionic | python-django – 1:1.11.11-1ubuntu1.21+esm14 | ||
| python3-django – 1:1.11.11-1ubuntu1.21+esm14 | |||
| 16.04 LTS xenial | python-django – 1.8.7-1ubuntu5.15+esm11 | ||
| python3-django – 1.8.7-1ubuntu5.15+esm11 | |||
| 14.04 LTS trusty | python-django – 1.6.11-0ubuntu1.3+esm10 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.