We're seeing a few django versions flagged as vulnerable:
django@4.2.30:
ECHO-01ac-8821-274a: (no details available)
ECHO-1dc5-af13-00c1: (no details available)
ECHO-37cc-2ae7-e3c8: (no details available)
ECHO-5818-1fba-950a: (no details available)
ECHO-7627-a361-b4d3: (no details available)
ECHO-879a-fe35-cf61: (no details available)
ECHO-de02-7575-4370: (no details available)
ECHO-f04c-582a-df62: (no details available)
ECHO-f4ca-f938-4210: (no details available)
And looking at the list there's a number of other advisories, all of which seem incorrect.
Using ECHO-01ac-8821-274a as an example:
{
"id": "ECHO-01ac-8821-274a",
"upstream": ["CVE-2026-33034"],
"aliases": ["CVE-2026-33034"],
"severity": [],
"modified": "2026-04-20T12:40:43.814Z",
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django",
"purl": "pkg:pypi/django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [{ "introduced": "0" }, { "fixed": "5.2.1+echo.1" }]
}
]
}
],
"references": [
{ "type": "WEB", "url": "https://advisory.echohq.com/cve/CVE-2026-33034" },
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-933h-hp56-hf7m"
}
]
}This is for GHSA-933h-hp56-hf7m which was fixed in v4.2.30 but the Echo advisory lists 5.2.1+echo.1 as the fixed version for the package in the PyPI ecosystem which does not exist.
I assume the way Echo works is that they've got their own replacement PyPI registry where they've published this version of Django, which means these advisories are invalid because the PyPI ecosystem is only for packages hosted on pypi.org.
Also I want to point out that these records have no other information all (not even a summary), and the advisory.echohq.com CVE link just redirects to the nvd.nist.gov page for the CVE which feels like it defeats the point of linking to Echo.
I'm assuming this might just be a bug on Echos end given they have their own Echo ecosystem and there looks to be 20 advisories impacted by this
We're seeing a few
djangoversions flagged as vulnerable:And looking at the list there's a number of other advisories, all of which seem incorrect.
Using ECHO-01ac-8821-274a as an example:
{ "id": "ECHO-01ac-8821-274a", "upstream": ["CVE-2026-33034"], "aliases": ["CVE-2026-33034"], "severity": [], "modified": "2026-04-20T12:40:43.814Z", "affected": [ { "package": { "ecosystem": "PyPI", "name": "django", "purl": "pkg:pypi/django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [{ "introduced": "0" }, { "fixed": "5.2.1+echo.1" }] } ] } ], "references": [ { "type": "WEB", "url": "https://advisory.echohq.com/cve/CVE-2026-33034" }, { "type": "WEB", "url": "https://github.com/advisories/GHSA-933h-hp56-hf7m" } ] }This is for GHSA-933h-hp56-hf7m which was fixed in v4.2.30 but the Echo advisory lists
5.2.1+echo.1as the fixed version for the package in thePyPIecosystem which does not exist.I assume the way Echo works is that they've got their own replacement PyPI registry where they've published this version of Django, which means these advisories are invalid because the
PyPIecosystem is only for packages hosted on pypi.org.Also I want to point out that these records have no other information all (not even a summary), and the advisory.echohq.com CVE link just redirects to the nvd.nist.gov page for the CVE which feels like it defeats the point of linking to Echo.
I'm assuming this might just be a bug on Echos end given they have their own
Echoecosystem and there looks to be 20 advisories impacted by this