CVE-2026-31815: django-unicorn affected by component state manipulation via unvalidated attribute access

March 11, 2026

Component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods.

References

github.com/advisories/GHSA-ffv6-jj46-x367
github.com/django-commons/django-unicorn
github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367
nvd.nist.gov/vuln/detail/CVE-2026-31815

Code Behaviors & Features

Detect and mitigate CVE-2026-31815 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →