CVE-2016-9013: User with hardcoded password created when running tests on Oracle. When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn"t manually specified in the database settings TEST dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect. CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True. Older versions of Django don"t validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS rebinding attack. While Django doesn"t ship a module that allows remote code execution, this is at least a cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there"s no development instance, for example. If a project uses a package like the django-debug-toolbar, then the attacker could execute arbitrary SQL, which could be especially bad if the developers connect to the database with a superuser account. Fixed In Version: Django 1.10.3, Django 1.9.11, Django 1.8.16 Reference: