Description
Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0.
Published: 2026-03-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted internal attribute manipulation
Action: Patch
AI Analysis

Impact

Uncontrolled updates of component properties in django-unicorn versions prior to 0.67.0 allow an attacker to bypass the intended _is_public protection, enabling modification of internal attributes such as template_name and triggering protected methods; this constitutes an Access Control flaw that could lead to unintended behavior or exposure of internal data.

Affected Systems

django-commons:django-unicorn; all releases before version 0.67.0 are affected.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity. EPSS is below 1%, suggesting a low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. Exploitation is likely achievable via remote web requests that manipulate component state, as the checks missing during property updates and method calls make the attack vector feasible in deployed applications.

Generated by OpenCVE AI on April 16, 2026 at 03:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade django-unicorn to version 0.67.0 or later
  • Limit component exposure by ensuring that only authenticated or authorized users can interact with components that perform state changes
  • Review custom component implementations for unintended public access to internal attributes or protected methods

Generated by OpenCVE AI on April 16, 2026 at 03:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ffv6-jj46-x367 django-unicorn affected by component state manipulation via unvalidated attribute access
History

Wed, 18 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Django-unicorn
Django-unicorn unicorn
CPEs cpe:2.3:a:django-unicorn:unicorn:*:*:*:*:*:django:*:*
Vendors & Products Django-unicorn
Django-unicorn unicorn

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Django-commons
Django-commons django-unicorn
Vendors & Products Django-commons
Django-commons django-unicorn

Tue, 10 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0.
Title django-unicorn affected by component state manipulation via unvalidated attribute access
Weaknesses CWE-284
CWE-915
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Django-commons Django-unicorn
Django-unicorn Unicorn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:18:26.595Z

Reserved: 2026-03-09T16:33:42.914Z

Link: CVE-2026-31815

cve-icon Vulnrichment

Updated: 2026-03-11T14:18:22.134Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:19.000

Modified: 2026-03-18T19:36:52.713

Link: CVE-2026-31815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses