CVE-2026-4277

CRITICAL

BIT-DJANGO-2026-4277 Privilege abuse in GenericInlineModelAdmin

Details

CVSS v3: 9.8
NVD published: 2026-04-07 15:17:46
EPSS: <0.1% probability · 17.4th percentile — 2026-04-17
Affected versions: cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Summary: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Remediation: Not available in our cache.
Exploit info: Not available in our cache.

TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.

Subscribe — free email digest or paid plan

Information is aggregated from multiple authoritative sources for convenience; verify with NVD and vendors before operational decisions.