QSearchQSearch

CVE-2021-3281

5.3 MEDIUM

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --templa...

Published: 2021-02-02 · Last updated: 2026-06-17

Severity and scoring

CVSS
5.3 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE
CWE-22

Affected products

VendorProduct
djangoprojectdjango, fedora, snapcenter
fedoraprojectdjango, fedora, snapcenter
netappdjango, fedora, snapcenter

Description

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-8404 An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
  • CVE-2026-7666 An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)
  • CVE-2026-6873 An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)
  • CVE-2026-48587 An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
  • CVE-2026-44546 daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake proces... (3.7 LOW)

Same CWE

  • CVE-2026-48777 FileBrowser Quantum is a free, self-hosted, web-based file manager
  • CVE-2026-8442 The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
  • CVE-2026-49766 Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
  • CVE-2026-49061 Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
  • CVE-2026-40779 Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)