issue with severity “moderate”, one security issue with severity “low”, and several bugs in 5.1. CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-45231: Potential user email enumeration via response status on password reset Due to unhandled one security issue with severity “moderate” and one security issue with severity “low” in 5.0.8. CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc

issues with severity “moderate”, one security issue with severity “high”, and several bugs in 5.0.7. CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat() If floatformat received significant memory consumption. To avoid this, decimals with more than 200 digits are now returned as is. CVE-2024-41990: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget

1, 2023 Django 4.2.7 fixes a security issue with severity “moderate” and several bugs in 4.2.6. CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows The NFKC normalization several bugs in 4.2.5. CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator Following the fix for CVE-2019-14232 [https://nvd.nist.gov/vuln/detail/CVE-2019- 14232], the regular 4, 2023 Django 4.2.5 fixes a security issue with severity “moderate” and several bugs in 4.2.4. CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri() django

3, 2023 Django 4.2.3 fixes a security issue with severity “moderate” and several bugs in 4.2.2. CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator notes May 3, 2023 Django 4.2.1 fixes a security issue with severity “low” and several bugs in 4.2. CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field Uploading The private internal vendored copy of urllib.parse.urlsplit() now strips '\r', '\n', and '\t' (see CVE-2022-0391 and bpo-43882). This is to protect projects that may be incorrectly using the internal u

release notes July 3, 2023 Django 4.1.10 fixes a security issue with severity “moderate” in 4.1.9. CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator 1.9 release notes May 3, 2023 Django 4.1.9 fixes a security issue with severity “low” in 4.1.8. CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field Uploading February 14, 2023 Django 4.1.7 fixes a security issue with severity “moderate” and a bug in 4.1.6. CVE-2023-24580: Potential denial-of-service vulnerability in file uploads Passing certain inputs to multipart

notes February 14, 2023 Django 4.0.10 fixes a security issue with severity “moderate” in 4.0.9. CVE-2023-24580: Potential denial-of-service vulnerability in file uploads Passing certain inputs to multipart release notes February 1, 2023 Django 4.0.9 fixes a security issue with severity “moderate” in 4.0.8. CVE-2023-23969: Potential denial-of-service via Accept- Language headers The parsed values of Accept-Language release notes October 4, 2022 Django 4.0.8 fixes a security issue with severity “medium” in 4.0.7. CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs Internationalized

release notes July 3, 2023 Django 3.2.20 fixes a security issue with severity “moderate” in 3.2.19. CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator 19 release notes May 3, 2023 Django 3.2.19 fixes a security issue with severity “low” in 3.2.18. CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field Uploading notes February 14, 2023 Django 3.2.18 fixes a security issue with severity “moderate” in 3.2.17. CVE-2023-24580: Potential denial-of-service vulnerability in file uploads Passing certain inputs to multipart

release notes April 11, 2022 Django 2.2.28 fixes two security issues with severity “high” in 2.2.27. CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra() QuerySet.annotate() suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods. CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL QuerySet.explain() notes February 1, 2022 Django 2.2.27 fixes two security issues with severity “medium” in 2.2.26. CVE-2022-22818: Possible XSS via {% debug %} template tag The {% debug %} template tag didn’t properly

release notes December 7, 2021 Django 3.1.14 fixes a security issue with severity “low” in 3.1.13. CVE-2021-44420: Potential bypass of an upstream access control based on URL paths HTTP requests for URLs release notes July 1, 2021 Django 3.1.13 fixes a security issue with severity “high” in 3.1.12. CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input Unsanitized user input removed. Django 3.1.12 release notes June 2, 2021 Django 3.1.12 fixes two security issues in 3.1.11. CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView

security release, fixing one vulnerability: Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 6.1.4 Fix broken links to jupyter documentation (5686 [https://github.com/jupyt McDonald Tres DuBiel 6.0.2 Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE- 2019-11358) Update CodeMirror to version 5.48.4 to fix Python formatting issues Continue removing minor releases of Jupyter Notebook and also included in version 6.0. Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a malicious