CVE-2026-31815 PUBLISHED

django-unicorn affected by component state manipulation via unvalidated attribute access

Assigner: GitHub_M
Reserved: 09.03.2026 Published: 10.03.2026 Updated: 11.03.2026

Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	django-commons
Product	django-unicorn
Versions	Version < 0.67.0 is affected

References

https://github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367

Problem Types

CWE-284: Improper Access Control CWE
CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE