Security vulnerability announcement

This is an announcement of a security vulnerability of LFS.

We are publishing multiple releases for all affected versions now. All users of LFS are urged to upgrade immediately.

Versions affected

0.5.x, 0.6.x, 0.7.x


Patches will be applied to the tip of all version branches. Releases for all affected versions will be provided.


The installation should be straightforward. Just replace your current version of django-lfs with the new release and restart your instance. This can be done in several ways dependend on your current installation. For instance you can just update the version of django-lfs within buildout.cfg and re-run the buildout or you can install a complete new instance and point it to your current database and media files. Make sure that you are using the correct version branch.

You can find the different installers here:

If you have questions, don't hesitate to get in contact:

If you need professional support, please look here:


Thanks to Maciej Wisniowski ( who found the issue, handled it in a most responsible way and helped to provide the patches.


If you find a security relevant issue, please report it via private mail to