CVE-2022-22818

MEDIUM

Django 2.2-2.2.26, 3.2-3.2.11, 4.0-4.0.1 - Cross-Site Scripting via {% debug %} Template Tag

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-22818. PoCs published by Prikalel.

AI-analyzed exploit summary This repository contains a fuzzer for Django templates to discover XSS vulnerabilities, specifically targeting CVE-2022-22818. It uses a custom grammar-based fuzzer to generate HTML templates and test for vulnerabilities in Django's template rendering engine.

Description

The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

Exploits (1)

nomisec WORKING POC 3 stars
by Prikalel · poc
https://github.com/Prikalel/django-xss-example

This repository contains a fuzzer for Django templates to discover XSS vulnerabilities, specifically targeting CVE-2022-22818. It uses a custom grammar-based fuzzer to generate HTML templates and test for vulnerabilities in Django's template rendering engine.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Django 4.0.1
No auth needed
Prerequisites: Django 4.0.1 installed · Python environment with required dependencies · Linux environment recommended
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 6.1
EPSS 0.0055
EPSS Percentile 68.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (4)
debian/debian_linux 11.0
djangoproject/django 2.2 - 2.2.27
fedoraproject/fedora 35
pypi/Django 2.2 - 2.2.27PyPI
Published Feb 03, 2022
Tracked Since Feb 18, 2026