django
Safeguard articles tagged "django" — guides, analysis, and best practices for software supply chain and application security.
14 articles
Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation
One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.
Preventing XSS in Django applications
Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.
Finding and fixing IDOR vulnerabilities in Python
Broken Object Level Authorization has held the #1 spot on the OWASP API Security Top 10 since 2019 — and Django's get_object_or_404() does nothing to stop it.
Django Security Best Practices for 2026
Django ships with strong defaults, but misconfigured settings, raw ORM queries, and unpinned dependencies still cause real breaches. Here is the checklist that matters.
Reachability Analysis for Python and pip in 2026
Python reachability is hard but useful: dynamic dispatch, monkey-patching, optional extras, and how modern tools handle real Django and FastAPI services.
Django CSRF protection and common session security miscon...
Django's CSRF defaults are solid, but wildcards, exempted webhooks, and reordered middleware quietly undo them. Here's where django csrf misconfiguration actually happens.
Django str.format denial of service (CVE-2023-41164)
CVE-2023-41164 lets attackers DoS Django apps via a str.format() flaw in uri_to_iri(). Here's what's affected, severity context, and how to fix it.
Django admin ChangeList path traversal (CVE-2021-33203)
CVE-2021-33203 is a staff-only path traversal in Django's admindocs TemplateDetailView. Here's what's affected, its CVSS/EPSS profile, and how to remediate it.
Django GIS SQL injection (CVE-2020-9402)
CVE-2020-9402 lets attackers inject SQL via Django GIS's tolerance parameter on Oracle. Versions, CVSS/EPSS data, timeline, and fixes inside.
CVE-2019-19844: Django password reset token weakness
CVE-2019-19844 let attackers hijack Django accounts by exploiting how case-sensitive email matching broke the base36 password reset token flow.
CVE-2018-14574: Open redirect in Django CommonMiddleware
CVE-2018-14574 let attackers abuse Django CommonMiddleware's APPEND_SLASH redirect to send users to external, attacker-controlled domains.
CVE-2022-34265: SQL injection via Trunc/Extract database ...
A technical breakdown of CVE-2022-34265, the Django SQL injection flaw in Trunc() and Extract(), covering affected versions, risk, and remediation steps.