VDB
KO
MEDIUM 6.1

PYSEC-2026-804

Django REST framework XSS Vulnerability

Details

Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / django-rest-framework
Introduced in: 0 Fixed in: 3.9.1
Fix pip install --upgrade 'django-rest-framework>=3.9.1'

References