SB2026030538 - Anolis OS update for python-django

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026030538

SB2026030538 - Anolis OS update for python-django

Published: March 5, 2026

Security Bulletin ID SB2026030538
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Medium 50% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2024-56374)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due lack of upper-bound limit enforcement in strings passed when performing IPv6 validation in clean_ipv6_address() and is_valid_ipv6_address() functions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


2) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2025-13473)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to timing difference in the mod_wsgi authentication handler within the django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi. A remote attacker can enumerate existing usernames.


3) Resource exhaustion (CVE-ID: CVE-2025-14550)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when using ASGIRequest. A remote attacker can send multiple requests with duplicated HTTP headers to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.


4) SQL injection (CVE-ID: CVE-2026-1207)

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed as a band index to raster lookups on GIS fields (only implemented on PostGIS). A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


5) Resource exhaustion (CVE-ID: CVE-2026-1285)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and truncatechars_html and truncatewords_html template filters. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


6) SQL injection (CVE-ID: CVE-2026-1312)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the QuerySet.order_by() method. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


Remediation

Install update from vendor's website.

References