Safeguard
Tag

django

Safeguard articles tagged "django" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Application Security

Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation

One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.

Jul 14, 20266 min read
Application Security

Preventing XSS in Django applications

Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.

Jul 14, 20266 min read
Application Security

Finding and fixing IDOR vulnerabilities in Python

Broken Object Level Authorization has held the #1 spot on the OWASP API Security Top 10 since 2019 — and Django's get_object_or_404() does nothing to stop it.

Jul 8, 20266 min read
Security Guides

Django Security Best Practices for 2026

Django ships with strong defaults, but misconfigured settings, raw ORM queries, and unpinned dependencies still cause real breaches. Here is the checklist that matters.

Jul 1, 20266 min read
Application Security

Reachability Analysis for Python and pip in 2026

Python reachability is hard but useful: dynamic dispatch, monkey-patching, optional extras, and how modern tools handle real Django and FastAPI services.

Feb 26, 20266 min read
Regulatory Compliance

Django CSRF protection and common session security miscon...

Django's CSRF defaults are solid, but wildcards, exempted webhooks, and reordered middleware quietly undo them. Here's where django csrf misconfiguration actually happens.

Jan 27, 20267 min read
Vulnerability Analysis

Django str.format denial of service (CVE-2023-41164)

CVE-2023-41164 lets attackers DoS Django apps via a str.format() flaw in uri_to_iri(). Here's what's affected, severity context, and how to fix it.

Dec 28, 20256 min read
Vulnerability Analysis

Django admin ChangeList path traversal (CVE-2021-33203)

CVE-2021-33203 is a staff-only path traversal in Django's admindocs TemplateDetailView. Here's what's affected, its CVSS/EPSS profile, and how to remediate it.

Dec 28, 20257 min read
Vulnerability Analysis

Django GIS SQL injection (CVE-2020-9402)

CVE-2020-9402 lets attackers inject SQL via Django GIS's tolerance parameter on Oracle. Versions, CVSS/EPSS data, timeline, and fixes inside.

Dec 27, 20257 min read
Vulnerability Analysis

CVE-2019-19844: Django password reset token weakness

CVE-2019-19844 let attackers hijack Django accounts by exploiting how case-sensitive email matching broke the base36 password reset token flow.

Oct 9, 20257 min read
Vulnerability Analysis

CVE-2018-14574: Open redirect in Django CommonMiddleware

CVE-2018-14574 let attackers abuse Django CommonMiddleware's APPEND_SLASH redirect to send users to external, attacker-controlled domains.

Oct 9, 20257 min read
Vulnerability Analysis

CVE-2022-34265: SQL injection via Trunc/Extract database ...

A technical breakdown of CVE-2022-34265, the Django SQL injection flaw in Trunc() and Extract(), covering affected versions, risk, and remediation steps.

Oct 8, 20257 min read
django — Safeguard Blog