VDB
DEBIAN-CVE-2025-59682
DEBIAN-CVE-2025-59682
PUBLISHED
CVSS 6.5 MEDIUM
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | python-django | 0, 3:4.2.23-1, 3:4.2.24-1 |
| Debian:14 | python-django | 0, 3:4.2.23-1, 3:4.2.24-1 |
| Debian:11 | python-django | *, 2:2.2.28-1~deb11u6, 2:2.2.28-1~deb11u7 |
| Debian:12 | python-django | 3:3.2.19-1, 3:3.2.19-1+deb12u1~bpo11+1, 3:3.2.19-1+deb12u2 |
Timeline
- Oct 1, 2025 CVE Published
- Apr 28, 2026 CVE Updated