PYSEC-2026-628

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2026-628.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-628
Aliases
Published
2026-07-02T14:13:09.430399Z
Modified
2026-07-06T08:11:04.714032155Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
Details

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0a1
Fixed
2.1.9
Introduced
2.2a1
Fixed
2.2.2

Affected versions

2.*
2.0a1
2.0b1
2.0rc1
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.12
2.0.13
2.1a1
2.1b1
2.1rc1
2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.7
2.1.8
2.2a1
2.2b1
2.2rc1
2.2
2.2.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2026-628.yaml"