Vulnerability Details CVE-2026-4277
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Add permissions on inline model instances were not validated on submission of
forged `POST` data in `GenericInlineModelAdmin`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.6%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-4277
-
cpe:2.3:a:djangoproject:django:4.2
-
cpe:2.3:a:djangoproject:django:4.2.0
-
cpe:2.3:a:djangoproject:django:4.2.1
-
cpe:2.3:a:djangoproject:django:4.2.10
-
cpe:2.3:a:djangoproject:django:4.2.11
-
cpe:2.3:a:djangoproject:django:4.2.12
-
cpe:2.3:a:djangoproject:django:4.2.13
-
cpe:2.3:a:djangoproject:django:4.2.14
-
cpe:2.3:a:djangoproject:django:4.2.15
-
cpe:2.3:a:djangoproject:django:4.2.16
-
cpe:2.3:a:djangoproject:django:4.2.17
-
cpe:2.3:a:djangoproject:django:4.2.18
-
cpe:2.3:a:djangoproject:django:4.2.19
-
cpe:2.3:a:djangoproject:django:4.2.2
-
cpe:2.3:a:djangoproject:django:4.2.20
-
cpe:2.3:a:djangoproject:django:4.2.21
-
cpe:2.3:a:djangoproject:django:4.2.22
-
cpe:2.3:a:djangoproject:django:4.2.23
-
cpe:2.3:a:djangoproject:django:4.2.24
-
cpe:2.3:a:djangoproject:django:4.2.25
-
cpe:2.3:a:djangoproject:django:4.2.26
-
cpe:2.3:a:djangoproject:django:4.2.28
-
cpe:2.3:a:djangoproject:django:4.2.3
-
cpe:2.3:a:djangoproject:django:4.2.4
-
cpe:2.3:a:djangoproject:django:4.2.5
-
cpe:2.3:a:djangoproject:django:4.2.6
-
cpe:2.3:a:djangoproject:django:4.2.7
-
cpe:2.3:a:djangoproject:django:4.2.8
-
cpe:2.3:a:djangoproject:django:4.2.9
-
cpe:2.3:a:djangoproject:django:5.2
-
cpe:2.3:a:djangoproject:django:5.2.1
-
cpe:2.3:a:djangoproject:django:5.2.10
-
cpe:2.3:a:djangoproject:django:5.2.11
-
cpe:2.3:a:djangoproject:django:5.2.2
-
cpe:2.3:a:djangoproject:django:5.2.3
-
cpe:2.3:a:djangoproject:django:5.2.4
-
cpe:2.3:a:djangoproject:django:5.2.5
-
cpe:2.3:a:djangoproject:django:5.2.6
-
cpe:2.3:a:djangoproject:django:5.2.7
-
cpe:2.3:a:djangoproject:django:5.2.8
-
cpe:2.3:a:djangoproject:django:6.0
-
cpe:2.3:a:djangoproject:django:6.0.1
-
cpe:2.3:a:djangoproject:django:6.0.2