{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31815", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.914Z", "datePublished": "2026-03-10T21:07:08.198Z", "dateUpdated": "2026-03-11T14:18:26.595Z"}, "containers": {"cna": {"title": "django-unicorn affected by component state manipulation via unvalidated attribute access", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-915", "lang": "en", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367"}], "affected": [{"vendor": "django-commons", "product": "django-unicorn", "versions": [{"version": "< 0.67.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T21:07:08.198Z"}, "descriptions": [{"lang": "en", "value": "Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0."}], "source": {"advisory": "GHSA-ffv6-jj46-x367", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:17:42.872101Z", "id": "CVE-2026-31815", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:18:26.595Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31815", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:17:42.872101Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:18:22.134Z"}}], "cna": {"title": "django-unicorn affected by component state manipulation via unvalidated attribute access", "source": {"advisory": "GHSA-ffv6-jj46-x367", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "django-commons", "product": "django-unicorn", "versions": [{"status": "affected", "version": "< 0.67.0"}]}], "references": [{"url": "https://github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367", "name": "https://github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T21:07:08.198Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31815", "state": "PUBLISHED", "dateUpdated": "2026-03-11T14:18:26.595Z", "dateReserved": "2026-03-09T16:33:42.914Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T21:07:08.198Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:django-unicorn:unicorn:*:*:*:*:*:django:*:*", "matchCriteriaId": "4824A04E-42A4-440A-BE05-1CF5473B9545", "versionEndExcluding": "0.67.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0."}, {"lang": "es", "value": "Unicorn a\u00f1ade funcionalidad de componente reactivo moderno a tus plantillas de Django. Antes de la versi\u00f3n 0.67.0, la manipulaci\u00f3n del estado del componente es posible en django-unicorn debido a la falta de comprobaciones de control de acceso durante las actualizaciones de propiedades y las llamadas a m\u00e9todos. Un atacante puede eludir la protecci\u00f3n _is_public prevista para modificar atributos internos como template_name o activar m\u00e9todos protegidos. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.67.0."}], "id": "CVE-2026-31815", "lastModified": "2026-03-18T19:36:52.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T22:16:19.000", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.67.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "django-unicorn", "source": "cna", "vendor": "django-commons"}, "product": "django-unicorn", "vendor": "django-commons"}], "analysis": {"en": {"generated_at": "2026-04-16T03:12:58.407749+00:00", "value": {"mitigation_remediation": ["Upgrade django-unicorn to version 0.67.0 or later", "Limit component exposure by ensuring that only authenticated or authorized users can interact with components that perform state changes", "Review custom component implementations for unintended public access to internal attributes or protected methods"], "summary": {"action": "Patch", "impact": "Unrestricted internal attribute manipulation"}, "threat_synthesis": {"affected_systems": "django-commons:django-unicorn; all releases before version 0.67.0 are affected.", "description_and_impact": "Uncontrolled updates of component properties in django-unicorn versions prior to 0.67.0 allow an attacker to bypass the intended _is_public protection, enabling modification of internal attributes such as template_name and triggering protected methods; this constitutes an Access Control flaw that could lead to unintended behavior or exposure of internal data.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, indicating moderate severity. EPSS is below 1%, suggesting a low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. Exploitation is likely achievable via remote web requests that manipulate component state, as the checks missing during property updates and method calls make the attack vector feasible in deployed applications."}}}}, "created": "2026-03-11T11:42:02.797103+00:00", "updated": "2026-04-16T03:15:22.949944+00:00", "vendors": ["django-commons", "django-commons$PRODUCT$django-unicorn"]}