{"id":"MGASA-2026-0032","summary":"Updated python-django packages fix security vulnerabilities","details":"Username enumeration through timing difference in mod_wsgi\nauthentication handler. (CVE-2025-13473)\nPotential denial-of-service vulnerability via repeated headers when\nusing ASGI. (CVE-2025-14550)\nPotential SQL injection via raster lookups on PostGIS. (CVE-2026-1207)\nPotential denial-of-service vulnerability in django.utils.text.Truncator\nHTML methods. (CVE-2026-1285)\nPotential SQL injection in column aliases via control characters.\n(CVE-2026-1287)\nPotential SQL injection via QuerySet.order_by and FilteredRelation.\n(CVE-2026-1312)\n","modified":"2026-04-16T00:10:21.367045481Z","published":"2026-02-06T05:11:54Z","upstream":["CVE-2025-13473","CVE-2025-14550","CVE-2026-1207","CVE-2026-1285","CVE-2026-1287","CVE-2026-1312"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2026-0032.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=35103"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8009-1"}],"affected":[{"package":{"name":"python-django","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/python-django?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.13-1.10.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2026-0032.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}