CVE-2026-31815

Summary

Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0.

Affected Software

VendorProductVersion RangeStatus
django-commonsdjango-unicorn< 0.67.0affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control
  • CWE-915: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References