{"id":"CVE-2018-7536","details":"An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.","aliases":["GHSA-r28v-mw67-m5p9","PYSEC-2018-5"],"modified":"2026-03-20T11:26:32.817794Z","published":"2018-03-09T20:29:00.613Z","related":["MGASA-2018-0166","SUSE-SU-2018:0973-1","SUSE-SU-2018:1102-1","SUSE-SU-2018:1828-1","SUSE-SU-2018:1830-1","openSUSE-SU-2018:0651-1","openSUSE-SU-2023:0077-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"ADVISORY","url":"https://usn.ubuntu.com/3591-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4161"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/103361"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0265"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2018/mar/06/security-releases/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0051"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0082"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"},{"type":"FIX","url":"https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2"},{"type":"FIX","url":"https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16"},{"type":"FIX","url":"https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"6a0dc2176f4ebf907e124d433411e52bba39a28e"},{"fixed":"c686dd8e6bb3817bcf04b8f13c025b4d3c3dc6dc"},{"introduced":"c669cf279ae7b3e02a61db4fb077030a4db80e4f"},{"fixed":"1cc5aceac0a73468a6d1a671b9c86423e5bcf011"},{"introduced":"8c85c8692240e5ae4b568eb4272475fe1fa4b059"},{"fixed":"2d73ffc6f96e399716a1ed3f58acd4e99afa3d33"},{"fixed":"1ca63a66ef3163149ad822701273e8a1844192c2"},{"fixed":"abf89d729f210c692a50e0ad3f75fb6bec6fae16"},{"fixed":"e157315da3ae7005fa0683ffc9751dbeca7306c8"}],"database_specific":{"versions":[{"introduced":"1.8"},{"fixed":"1.8.19"},{"introduced":"1.11"},{"fixed":"1.11.11"},{"introduced":"2.0"},{"fixed":"2.0.3"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"17.10"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10"}]},{"events":[{"introduced":"0"},{"last_affected":"13"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-7536.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}