ch4n3-yoon

9 exploits Active since Jun 2024
CVE-2026-33033 GITHUB MEDIUM python WORKING POC
Django < 6.0.4, 5.2.13, 4.2.30 - MultiPartParser Base64 Upload Denial of Service
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
3 stars
CVSS 6.5
CVE-2025-62727 GITHUB HIGH python WORKING POC
Starlette 0.39.0-0.49.0 - Unauthenticated Denial of Service via HTTP Range Header
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.
1 stars
CVSS 7.5
CVE-2026-33033 NOMISEC MEDIUM WORKING POC
Django < 6.0.4, 5.2.13, 4.2.30 - MultiPartParser Base64 Upload Denial of Service
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
CVSS 6.5
CVE-2025-64458 GITHUB HIGH python WORKING POC
Django 4.2-4.2.25, 5.1-5.1.13, 5.2-5.2.7 - Denial of Service via NFKC Unicode Normalization
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
CVSS 7.5
CVE-2024-21520 NOMISEC MEDIUM WORKING POC
djangorestframework < 3.15.2 - Cross-Site Scripting via break_long_headers Template Filter
Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with <br> tags.
CVSS 6.1
CVE-2026-3276 WRITEUP MEDIUM WRITEUP
Python Software Foundation CPython - Potential DoS via Quadratic Complexity in unicodedata.normalize()
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
CVE-2026-3276 WRITEUP MEDIUM WRITEUP
Python Software Foundation CPython - Potential DoS via Quadratic Complexity in unicodedata.normalize()
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
CVE-2026-3276 WRITEUP MEDIUM WRITEUP
Python Software Foundation CPython - Potential DoS via Quadratic Complexity in unicodedata.normalize()
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
CVE-2026-3276 WRITEUP MEDIUM WRITEUP
Python Software Foundation CPython - Potential DoS via Quadratic Complexity in unicodedata.normalize()
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.