Alpine: multiple py3-django packages: security update to 4.2.26-r0

critical Tenable Cloud Security Plugin ID 436035

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization
in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`,
`django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to
a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
affected. Django would like to thank Seokchan Yoon for reporting this issue. (CVE-2025-64458)

- An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods
`QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL
injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector`
argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may
also be affected. Django would like to thank cyberstan for reporting this issue. (CVE-2025-64459)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-64458

https://security.alpinelinux.org/vuln/CVE-2025-64459

Plugin Details

Severity: Critical

ID: 436035

Version: Revision 1.12

Type: Local

Published: 11/13/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

Percentile: 96.81

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-64459

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 11/5/2025

Reference Information

CVE: CVE-2025-64458, CVE-2025-64459