GHSA-pwjp-ccjc-ghwg · Severity: low · Ecosystem: pip — Django vulnerable to privilege abuse in GenericInlineModelAdmin
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Conclusion & alert: CVE-2026-4277 is rated Moderate Risk (41.1/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.02%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-21 | 0.05% | 0.02% | -0.03% |
| 2 | 2026-04-13 | 0.01% | 0.05% | +0.04% |
| 3 | 2026-04-08 | — | 0.01% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-pwjp-ccjc-ghwg · Severity: low · Ecosystem: pip — Django vulnerable to privilege abuse in GenericInlineModelAdmin
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2026-4277: 1 source package rows (py3-django); 2 state rows across 2 repos (3.23-community, edge-community); fixed 2, open 0. | https://security.alpinelinux.org/vuln/CVE-2026-4277 |
debian
|
not yet assigned | CVE-2026-4277 not yet assigned priority: Debian including 1 source packages (python-django), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2026-4277 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-4277 |
suse
|
medium | CVE-2026-4277 severity moderate: SUSE including 5 source package names (python311-Django4-4.2.30-1.1, python313-Django4-4.2.30-1.1, python313-Django6-6.0.4-1.1, python314-Django4-4.2.30-1.1, python314-Django6-6.0.4-1.1), 5 product×package rows across 1 product lines (openSUSE Tumbleweed): Fixed 5. | https://www.suse.com/security/cve/CVE-2026-4277/ |
ubuntu
|
low | CVE-2026-4277 low priority: Ubuntu including 1 source packages (python-django), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): released 7, ignored 1. | https://ubuntu.com/security/CVE-2026-4277 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| djangoproject | django | >= 4.2, < 4.2.30 | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* |
| djangoproject | django | >= 5.2, < 5.2.13 | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* |
| djangoproject | django | >= 6.0, < 6.0.4 | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://docs.djangoproject.com/en/dev/releases/security/ | Patch Vendor Advisory |
| https://groups.google.com/g/django-announce | Release Notes |
| https://www.djangoproject.com/weblog/2026/apr/07/security-releases/ | Patch Vendor Advisory |