Search

Find a vulnerability

Search criteria

    300 vulnerabilities found for Django by djangoproject

    CVE-2026-8404 (GCVE-0-2026-8404)

    Vulnerability from nvd – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:46
    VLAI
    Title
    Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
    Summary
    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-178 - Improper Handling of Case Sensitivity
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Ahmed Badawe Jake Howard Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8404",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:46:33.911128Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:46:40.439Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ahmed Badawe"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.middleware.cache.UpdateCacheMiddleware\u003c/code\u003e in Django does not match \u003ccode\u003eCache-Control\u003c/code\u003e response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their \u003ccode\u003eCache-Control\u003c/code\u003e directives used uppercase or mixed-case values.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Ahmed Badawe for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmed Badawe for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-204",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-178",
                  "description": "CWE-178: Improper Handling of Case Sensitivity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:29.593Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-06T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-05-12T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-8404",
        "datePublished": "2026-06-03T13:16:29.593Z",
        "dateReserved": "2026-05-12T15:06:18.803Z",
        "dateUpdated": "2026-06-03T15:46:40.439Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7666 (GCVE-0-2026-7666)

    Vulnerability from nvd – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:43
    VLAI
    Title
    Potential unencrypted email transmission via STARTTLS in the SMTP backend
    Summary
    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Kasper Dupont Jake Howard Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7666",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:43:26.714914Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:43:34.012Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kasper Dupont"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.core.mail.backends.smtp.EmailBackend\u003c/code\u003e in Django fails to prevent reuse of a partially-initialized connection after a failed \u003ccode\u003eSTARTTLS\u003c/code\u003e handshake when \u003ccode\u003efail_silently=True\u003c/code\u003e, which allows on-path network attackers to read email content via cleartext interception.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Kasper Dupont for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kasper Dupont for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-94",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-94: Adversary in the Middle (AiTM)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:15.446Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-22T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-05-12T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential unencrypted email transmission via STARTTLS in the SMTP backend",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-7666",
        "datePublished": "2026-06-03T13:16:15.446Z",
        "dateReserved": "2026-05-01T19:59:31.353Z",
        "dateUpdated": "2026-06-03T15:43:34.012Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6873 (GCVE-0-2026-6873)

    Vulnerability from nvd – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:43
    VLAI
    Title
    Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
    Summary
    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Peng Zhou Paul McMillan Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6873",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:43:52.491634Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:43:58.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Peng Zhou"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Paul McMillan"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.http.HttpRequest.get_signed_cookie\u003c/code\u003e in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct \u003ccode\u003e(name, salt)\u003c/code\u003e pairs that produce the same concatenation.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Peng Zhou for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Peng Zhou for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-475",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-475: Signature Spoofing by Improper Validation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:03.924Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-27T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-05-12T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-6873",
        "datePublished": "2026-06-03T13:16:03.924Z",
        "dateReserved": "2026-04-22T18:12:39.603Z",
        "dateUpdated": "2026-06-03T15:43:58.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48587 (GCVE-0-2026-48587)

    Vulnerability from nvd – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:47
    VLAI
    Title
    Potential exposure of private data via whitespace padding in Vary header
    Summary
    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1023 - Incomplete Comparison with Missing Factors
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Navid Rezazadeh Jake Howard Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48587",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:47:33.121791Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:47:55.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Navid Rezazadeh"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.utils.cache.has_vary_header()\u003c/code\u003e in Django does not strip leading or trailing whitespace from \u003ccode\u003eVary\u003c/code\u003e response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Navid Rezazadeh for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Navid Rezazadeh for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-204",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1023",
                  "description": "CWE-1023: Incomplete Comparison with Missing Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:47.811Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-11T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-05-26T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential exposure of private data via whitespace padding in Vary header",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-48587",
        "datePublished": "2026-06-03T13:16:47.811Z",
        "dateReserved": "2026-05-21T20:50:32.465Z",
        "dateUpdated": "2026-06-03T15:47:55.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35193 (GCVE-0-2026-35193)

    Vulnerability from nvd – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:47
    VLAI
    Title
    Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
    Summary
    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Shai Berger Jacob Walls Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35193",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:47:08.153480Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:47:18.140Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Shai Berger"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.middleware.cache.UpdateCacheMiddleware\u003c/code\u003e in Django does not add \u003ccode\u003eAuthorization\u003c/code\u003e to the \u003ccode\u003eVary\u003c/code\u003e response header for requests bearing that header without \u003ccode\u003eCache-Control: public\u003c/code\u003e, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Shai Berger for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Shai Berger for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-204",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:38.456Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-24T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-04-28T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-35193",
        "datePublished": "2026-06-03T13:16:38.456Z",
        "dateReserved": "2026-04-01T18:21:23.779Z",
        "dateUpdated": "2026-06-03T15:47:18.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6907 (GCVE-0-2026-6907)

    Vulnerability from nvd – Published: 2026-05-05 14:50 – Updated: 2026-05-06 15:25
    VLAI
    Title
    Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
    Summary
    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.5 (python)
    Unaffected: 6.0.5 (python)
    Affected: 5.2 , < 5.2.14 (python)
    Unaffected: 5.2.14 (python)
    Create a notification for this product.
    Date Public
    2026-05-05 09:00
    Credits
    Ahmad Sadeddin Sarah Boyce Sarah Boyce
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6907",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T17:03:42.610418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T15:25:33.698Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.5",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.14",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.14",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ahmad Sadeddin"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Sarah Boyce"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Sarah Boyce"
            }
          ],
          "datePublic": "2026-05-05T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\u003c/p\u003e\u003cp\u003e`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`\u0026#x27;*\u0026#x27;`). This can lead to private data being stored and served.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Ahmad Sadeddin for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`\u0027*\u0027`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-204",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T14:50:02.594Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.5 and 5.2.14",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-06T10:17:03.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-04-23T10:17:26.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-05-05T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-6907",
        "datePublished": "2026-05-05T14:50:02.594Z",
        "dateReserved": "2026-04-23T11:19:30.877Z",
        "dateUpdated": "2026-05-06T15:25:33.698Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5766 (GCVE-0-2026-5766)

    Vulnerability from nvd – Published: 2026-05-05 14:49 – Updated: 2026-05-06 15:25
    VLAI
    Title
    Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
    Summary
    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-130 - Improper Handling of Length Parameter Inconsistency
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.5 (python)
    Unaffected: 6.0.5 (python)
    Affected: 5.2 , < 5.2.14 (python)
    Unaffected: 5.2.14 (python)
    Create a notification for this product.
    Date Public
    2026-05-05 09:00
    Credits
    Kyle Agronick Jacob Walls Sarah Boyce
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5766",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T17:03:20.935294Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T15:25:38.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.5",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.14",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.14",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kyle Agronick"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Sarah Boyce"
            }
          ],
          "datePublic": "2026-05-05T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\u003c/p\u003e\u003cp\u003eASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAs a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Kyle Agronick for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.\r\n \r\nAs a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kyle Agronick for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130: Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-130",
                  "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T14:49:19.715Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.5 and 5.2.14",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-12T10:32:17.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-04-07T10:32:20.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-05-05T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-5766",
        "datePublished": "2026-05-05T14:49:19.715Z",
        "dateReserved": "2026-04-07T19:29:07.042Z",
        "dateUpdated": "2026-05-06T15:25:38.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35192 (GCVE-0-2026-35192)

    Vulnerability from nvd – Published: 2026-05-05 14:50 – Updated: 2026-05-06 15:25
    VLAI
    Title
    Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
    Summary
    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-539 - Use of Persistent Cookies Containing Sensitive Information
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.5 (python)
    Unaffected: 6.0.5 (python)
    Affected: 5.2 , < 5.2.14 (python)
    Unaffected: 5.2.14 (python)
    Create a notification for this product.
    Date Public
    2026-05-05 09:00
    Credits
    Cantina Jake Howard Sarah Boyce
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35192",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T17:04:02.535125Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T15:25:28.432Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.5",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.14",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.14",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Cantina"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Sarah Boyce"
            }
          ],
          "datePublic": "2026-05-05T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\u003c/p\u003e\u003cp\u003eResponse headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user\u0026#x27;s session after that user visits a cached public page.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Cantina for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nResponse headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user\u0027s session after that user visits a cached public page.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-60",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-60: Reusing Session IDs (aka Session Replay)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-539",
                  "description": "CWE-539: Use of Persistent Cookies Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T14:50:29.984Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.5 and 5.2.14",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-11T10:54:40.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-04-01T10:54:43.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-05-05T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-35192",
        "datePublished": "2026-05-05T14:50:29.984Z",
        "dateReserved": "2026-04-01T18:21:23.779Z",
        "dateUpdated": "2026-05-06T15:25:28.432Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4292 (GCVE-0-2026-4292)

    Vulnerability from nvd – Published: 2026-04-07 14:22 – Updated: 2026-04-07 15:12
    VLAI
    Title
    Privilege abuse in ModelAdmin.list_editable
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    Cantina Jacob Walls Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 2.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4292",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T15:12:50.786633Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T15:12:56.065Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Cantina"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\u003c/p\u003e\u003cp\u003einstances to be created via forged `POST` data.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Cantina for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\r\ninstances to be created via forged `POST` data.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122: Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:38.254Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-11T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-16T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Privilege abuse in ModelAdmin.list_editable",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-4292",
        "datePublished": "2026-04-07T14:22:38.254Z",
        "dateReserved": "2026-03-16T16:58:02.592Z",
        "dateUpdated": "2026-04-07T15:12:56.065Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4277 (GCVE-0-2026-4277)

    Vulnerability from nvd – Published: 2026-04-07 14:22 – Updated: 2026-06-23 15:52
    VLAI
    Title
    Privilege abuse in GenericInlineModelAdmin
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    N05ec@LZU-DSLab Jacob Walls Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4277",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T18:09:56.739026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T15:52:41.626Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "N05ec@LZU-DSLab"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eAdd permissions on inline model instances were not validated on submission of\u003c/p\u003e\u003cp\u003eforged `POST` data in `GenericInlineModelAdmin`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank N05ec@LZU-DSLab for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdd permissions on inline model instances were not validated on submission of\r\nforged `POST` data in `GenericInlineModelAdmin`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank N05ec@LZU-DSLab for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122: Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:25.547Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-07T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-16T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Privilege abuse in GenericInlineModelAdmin",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-4277",
        "datePublished": "2026-04-07T14:22:25.547Z",
        "dateReserved": "2026-03-16T15:26:08.125Z",
        "dateUpdated": "2026-06-23T15:52:41.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3902 (GCVE-0-2026-3902)

    Vulnerability from nvd – Published: 2026-04-07 14:22 – Updated: 2026-04-07 16:14
    VLAI
    Title
    ASGI header spoofing via underscore/hyphen conflation
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    Tarek Nakkouch Jacob Walls Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3902",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T16:14:03.870418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T16:14:07.198Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Tarek Nakkouch"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003e`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Tarek Nakkouch for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-151",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-151: Identity Spoofing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:07.190Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-23T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-10T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "ASGI header spoofing via underscore/hyphen conflation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-3902",
        "datePublished": "2026-04-07T14:22:07.190Z",
        "dateReserved": "2026-03-10T18:33:26.472Z",
        "dateUpdated": "2026-04-07T16:14:07.198Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33034 (GCVE-0-2026-33034)

    Vulnerability from nvd – Published: 2026-04-07 14:22 – Updated: 2026-04-07 20:44
    VLAI
    Title
    Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    Superior Natalia Bidart Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33034",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T20:43:43.119514Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T20:44:01.819Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Superior"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Natalia Bidart"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eASGI requests with a missing or understated `Content-Length` header could\u003c/p\u003e\u003cp\u003ebypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\u003c/p\u003e\u003cp\u003e`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\u003c/p\u003e\u003cp\u003ememory.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Superior for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\r\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\r\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\r\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130: Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:59.942Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-24T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-17T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-33034",
        "datePublished": "2026-04-07T14:22:59.942Z",
        "dateReserved": "2026-03-17T17:36:23.992Z",
        "dateUpdated": "2026-04-07T20:44:01.819Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33033 (GCVE-0-2026-33033)

    Vulnerability from nvd – Published: 2026-04-07 14:22 – Updated: 2026-04-07 15:21
    VLAI
    Title
    Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    Seokchan Yoon Natalia Bidart Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33033",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T15:21:08.357477Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T15:21:27.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Seokchan Yoon"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Natalia Bidart"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003e`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130: Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "moderate"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407: Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:48.624Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-19T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-17T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-33033",
        "datePublished": "2026-04-07T14:22:48.624Z",
        "dateReserved": "2026-03-17T17:36:23.992Z",
        "dateUpdated": "2026-04-07T15:21:27.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25674 (GCVE-0-2026-25674)

    Vulnerability from nvd – Published: 2026-03-03 14:28 – Updated: 2026-03-03 15:27
    VLAI
    Title
    Potential incorrect permissions on newly created file system objects
    Summary
    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.3 (semver)
    Unaffected: 6.0.3 (semver)
    Affected: 5.2 , < 5.2.12 (semver)
    Unaffected: 5.2.12 (semver)
    Affected: 4.2 , < 4.2.29 (semver)
    Unaffected: 4.2.29 (semver)
    Create a notification for this product.
    Date Public
    2026-03-03 08:00
    Credits
    Tarek Nakkouch Natalia Bidart Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25674",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T15:27:07.815602Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T15:27:10.815Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.3",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.12",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.12",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.29",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.29",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Tarek Nakkouch"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Natalia Bidart"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-03-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\u003c/p\u003e\u003cp\u003eRace condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread\u0026#x27;s temporary `umask` change affects other threads in multi-threaded environments.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Tarek Nakkouch for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\nRace condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread\u0027s temporary `umask` change affects other threads in multi-threaded environments.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-26",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-26: Leveraging Race Conditions"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-03T14:28:37.751Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.3, 5.2.12, and 4.2.29",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/mar/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-20T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-02-20T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-03-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential incorrect permissions on newly created file system objects",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-25674",
        "datePublished": "2026-03-03T14:28:37.751Z",
        "dateReserved": "2026-02-04T18:27:10.658Z",
        "dateUpdated": "2026-03-03T15:27:10.815Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25673 (GCVE-0-2026-25673)

    Vulnerability from nvd – Published: 2026-03-03 14:28 – Updated: 2026-06-30 03:20
    VLAI
    Title
    Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows
    Summary
    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.3 (semver)
    Unaffected: 6.0.3 (semver)
    Affected: 5.2 , < 5.2.12 (semver)
    Unaffected: 5.2.12 (semver)
    Affected: 4.2 , < 4.2.29 (semver)
    Unaffected: 4.2.29 (semver)
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
    Create a notification for this product.
    Red Hat Red Hat Discovery 2     cpe:/a:redhat:discovery:2::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Date Public
    2026-03-03 08:00
    Credits
    Seokchan Yoon Natalia Bidart Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25673",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T15:25:53.980126Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T15:26:02.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:discovery:2::el9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Discovery 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-03-03T14:28:28.601Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Django. A remote attacker can exploit a vulnerability in the `URLField.to_python()` function, specifically when Django is running on the Windows platform. This function, which utilizes `urllib.parse.urlsplit()`, performs a disproportionately slow normalization process for certain Unicode characters. By submitting large URL inputs containing these characters, an attacker can trigger a denial of service (DoS)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T03:20:03.461Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-25673"
              },
              {
                "name": "RHBZ#2444115",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444115"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25673.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-03-03T15:01:31.969Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-03-03T14:28:28.601Z",
                "value": "Made public."
              }
            ],
            "title": "django: Django: Denial of Service via slow URL normalization on Windows",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.3",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.12",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.12",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.29",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.29",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Seokchan Yoon"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Natalia Bidart"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-03-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\u003c/p\u003e\u003cp\u003e`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\n`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-227",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-227: Sustained Client Engagement"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "moderate"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-03T14:28:28.601Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.3, 5.2.12, and 4.2.29",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/mar/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-27T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-02-20T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-03-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-25673",
        "datePublished": "2026-03-03T14:28:28.601Z",
        "dateReserved": "2026-02-04T18:27:10.657Z",
        "dateUpdated": "2026-06-30T03:20:03.461Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48587 (GCVE-0-2026-48587)

    Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:47
    VLAI
    Title
    Potential exposure of private data via whitespace padding in Vary header
    Summary
    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1023 - Incomplete Comparison with Missing Factors
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Navid Rezazadeh Jake Howard Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48587",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:47:33.121791Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:47:55.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Navid Rezazadeh"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.utils.cache.has_vary_header()\u003c/code\u003e in Django does not strip leading or trailing whitespace from \u003ccode\u003eVary\u003c/code\u003e response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Navid Rezazadeh for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Navid Rezazadeh for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-204",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1023",
                  "description": "CWE-1023: Incomplete Comparison with Missing Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:47.811Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-11T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-05-26T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential exposure of private data via whitespace padding in Vary header",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-48587",
        "datePublished": "2026-06-03T13:16:47.811Z",
        "dateReserved": "2026-05-21T20:50:32.465Z",
        "dateUpdated": "2026-06-03T15:47:55.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35193 (GCVE-0-2026-35193)

    Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:47
    VLAI
    Title
    Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
    Summary
    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Shai Berger Jacob Walls Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35193",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:47:08.153480Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:47:18.140Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Shai Berger"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.middleware.cache.UpdateCacheMiddleware\u003c/code\u003e in Django does not add \u003ccode\u003eAuthorization\u003c/code\u003e to the \u003ccode\u003eVary\u003c/code\u003e response header for requests bearing that header without \u003ccode\u003eCache-Control: public\u003c/code\u003e, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Shai Berger for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Shai Berger for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-204",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:38.456Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-24T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-04-28T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-35193",
        "datePublished": "2026-06-03T13:16:38.456Z",
        "dateReserved": "2026-04-01T18:21:23.779Z",
        "dateUpdated": "2026-06-03T15:47:18.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8404 (GCVE-0-2026-8404)

    Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:46
    VLAI
    Title
    Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
    Summary
    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-178 - Improper Handling of Case Sensitivity
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Ahmed Badawe Jake Howard Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8404",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:46:33.911128Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:46:40.439Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ahmed Badawe"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.middleware.cache.UpdateCacheMiddleware\u003c/code\u003e in Django does not match \u003ccode\u003eCache-Control\u003c/code\u003e response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their \u003ccode\u003eCache-Control\u003c/code\u003e directives used uppercase or mixed-case values.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Ahmed Badawe for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmed Badawe for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-204",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-178",
                  "description": "CWE-178: Improper Handling of Case Sensitivity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:29.593Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-06T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-05-12T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-8404",
        "datePublished": "2026-06-03T13:16:29.593Z",
        "dateReserved": "2026-05-12T15:06:18.803Z",
        "dateUpdated": "2026-06-03T15:46:40.439Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7666 (GCVE-0-2026-7666)

    Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:43
    VLAI
    Title
    Potential unencrypted email transmission via STARTTLS in the SMTP backend
    Summary
    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Kasper Dupont Jake Howard Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7666",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:43:26.714914Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:43:34.012Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kasper Dupont"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.core.mail.backends.smtp.EmailBackend\u003c/code\u003e in Django fails to prevent reuse of a partially-initialized connection after a failed \u003ccode\u003eSTARTTLS\u003c/code\u003e handshake when \u003ccode\u003efail_silently=True\u003c/code\u003e, which allows on-path network attackers to read email content via cleartext interception.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Kasper Dupont for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kasper Dupont for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-94",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-94: Adversary in the Middle (AiTM)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:15.446Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-22T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-05-12T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential unencrypted email transmission via STARTTLS in the SMTP backend",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-7666",
        "datePublished": "2026-06-03T13:16:15.446Z",
        "dateReserved": "2026-05-01T19:59:31.353Z",
        "dateUpdated": "2026-06-03T15:43:34.012Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6873 (GCVE-0-2026-6873)

    Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:43
    VLAI
    Title
    Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
    Summary
    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.6 (python)
    Unaffected: 6.0.6 (python)
    Affected: 5.2 , < 5.2.15 (python)
    Unaffected: 5.2.15 (python)
    Create a notification for this product.
    Date Public
    2026-06-03 08:00
    Credits
    Peng Zhou Paul McMillan Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6873",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T15:43:52.491634Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T15:43:58.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.6",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.6",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.15",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.15",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Peng Zhou"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Paul McMillan"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-06-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.http.HttpRequest.get_signed_cookie\u003c/code\u003e in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct \u003ccode\u003e(name, salt)\u003c/code\u003e pairs that produce the same concatenation.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Peng Zhou for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Peng Zhou for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-475",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-475: Signature Spoofing by Improper Validation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-03T13:16:03.924Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.6 and 5.2.15",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-27T00:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-05-12T00:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-06-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-6873",
        "datePublished": "2026-06-03T13:16:03.924Z",
        "dateReserved": "2026-04-22T18:12:39.603Z",
        "dateUpdated": "2026-06-03T15:43:58.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35192 (GCVE-0-2026-35192)

    Vulnerability from cvelistv5 – Published: 2026-05-05 14:50 – Updated: 2026-05-06 15:25
    VLAI
    Title
    Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
    Summary
    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-539 - Use of Persistent Cookies Containing Sensitive Information
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.5 (python)
    Unaffected: 6.0.5 (python)
    Affected: 5.2 , < 5.2.14 (python)
    Unaffected: 5.2.14 (python)
    Create a notification for this product.
    Date Public
    2026-05-05 09:00
    Credits
    Cantina Jake Howard Sarah Boyce
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35192",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T17:04:02.535125Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T15:25:28.432Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.5",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.14",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.14",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Cantina"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Sarah Boyce"
            }
          ],
          "datePublic": "2026-05-05T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\u003c/p\u003e\u003cp\u003eResponse headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user\u0026#x27;s session after that user visits a cached public page.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Cantina for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nResponse headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user\u0027s session after that user visits a cached public page.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-60",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-60: Reusing Session IDs (aka Session Replay)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-539",
                  "description": "CWE-539: Use of Persistent Cookies Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T14:50:29.984Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.5 and 5.2.14",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-11T10:54:40.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-04-01T10:54:43.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-05-05T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-35192",
        "datePublished": "2026-05-05T14:50:29.984Z",
        "dateReserved": "2026-04-01T18:21:23.779Z",
        "dateUpdated": "2026-05-06T15:25:28.432Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6907 (GCVE-0-2026-6907)

    Vulnerability from cvelistv5 – Published: 2026-05-05 14:50 – Updated: 2026-05-06 15:25
    VLAI
    Title
    Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
    Summary
    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.5 (python)
    Unaffected: 6.0.5 (python)
    Affected: 5.2 , < 5.2.14 (python)
    Unaffected: 5.2.14 (python)
    Create a notification for this product.
    Date Public
    2026-05-05 09:00
    Credits
    Ahmad Sadeddin Sarah Boyce Sarah Boyce
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6907",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T17:03:42.610418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T15:25:33.698Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.5",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.14",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.14",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ahmad Sadeddin"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Sarah Boyce"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Sarah Boyce"
            }
          ],
          "datePublic": "2026-05-05T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\u003c/p\u003e\u003cp\u003e`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`\u0026#x27;*\u0026#x27;`). This can lead to private data being stored and served.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Ahmad Sadeddin for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`\u0027*\u0027`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-204",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T14:50:02.594Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.5 and 5.2.14",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-06T10:17:03.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-04-23T10:17:26.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-05-05T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-6907",
        "datePublished": "2026-05-05T14:50:02.594Z",
        "dateReserved": "2026-04-23T11:19:30.877Z",
        "dateUpdated": "2026-05-06T15:25:33.698Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5766 (GCVE-0-2026-5766)

    Vulnerability from cvelistv5 – Published: 2026-05-05 14:49 – Updated: 2026-05-06 15:25
    VLAI
    Title
    Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
    Summary
    An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-130 - Improper Handling of Length Parameter Inconsistency
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.5 (python)
    Unaffected: 6.0.5 (python)
    Affected: 5.2 , < 5.2.14 (python)
    Unaffected: 5.2.14 (python)
    Create a notification for this product.
    Date Public
    2026-05-05 09:00
    Credits
    Kyle Agronick Jacob Walls Sarah Boyce
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5766",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T17:03:20.935294Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T15:25:38.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.5",
                  "versionType": "python"
                },
                {
                  "lessThan": "5.2.14",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "python"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.14",
                  "versionType": "python"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Kyle Agronick"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Sarah Boyce"
            }
          ],
          "datePublic": "2026-05-05T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\u003c/p\u003e\u003cp\u003eASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAs a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Kyle Agronick for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\nASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.\r\n \r\nAs a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kyle Agronick for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130: Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-130",
                  "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T14:49:19.715Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.5 and 5.2.14",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-12T10:32:17.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-04-07T10:32:20.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-05-05T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-5766",
        "datePublished": "2026-05-05T14:49:19.715Z",
        "dateReserved": "2026-04-07T19:29:07.042Z",
        "dateUpdated": "2026-05-06T15:25:38.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33034 (GCVE-0-2026-33034)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 20:44
    VLAI
    Title
    Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    Superior Natalia Bidart Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33034",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T20:43:43.119514Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T20:44:01.819Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Superior"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Natalia Bidart"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eASGI requests with a missing or understated `Content-Length` header could\u003c/p\u003e\u003cp\u003ebypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\u003c/p\u003e\u003cp\u003e`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\u003c/p\u003e\u003cp\u003ememory.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Superior for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\r\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\r\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\r\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130: Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:59.942Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-24T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-17T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-33034",
        "datePublished": "2026-04-07T14:22:59.942Z",
        "dateReserved": "2026-03-17T17:36:23.992Z",
        "dateUpdated": "2026-04-07T20:44:01.819Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33033 (GCVE-0-2026-33033)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 15:21
    VLAI
    Title
    Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    Seokchan Yoon Natalia Bidart Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33033",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T15:21:08.357477Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T15:21:27.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Seokchan Yoon"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Natalia Bidart"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003e`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130: Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "moderate"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407: Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:48.624Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-19T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-17T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-33033",
        "datePublished": "2026-04-07T14:22:48.624Z",
        "dateReserved": "2026-03-17T17:36:23.992Z",
        "dateUpdated": "2026-04-07T15:21:27.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4292 (GCVE-0-2026-4292)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 15:12
    VLAI
    Title
    Privilege abuse in ModelAdmin.list_editable
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    Cantina Jacob Walls Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 2.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4292",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T15:12:50.786633Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T15:12:56.065Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Cantina"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\u003c/p\u003e\u003cp\u003einstances to be created via forged `POST` data.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Cantina for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\r\ninstances to be created via forged `POST` data.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122: Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:38.254Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-11T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-16T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Privilege abuse in ModelAdmin.list_editable",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-4292",
        "datePublished": "2026-04-07T14:22:38.254Z",
        "dateReserved": "2026-03-16T16:58:02.592Z",
        "dateUpdated": "2026-04-07T15:12:56.065Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4277 (GCVE-0-2026-4277)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-06-23 15:52
    VLAI
    Title
    Privilege abuse in GenericInlineModelAdmin
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    N05ec@LZU-DSLab Jacob Walls Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4277",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T18:09:56.739026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T15:52:41.626Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "N05ec@LZU-DSLab"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eAdd permissions on inline model instances were not validated on submission of\u003c/p\u003e\u003cp\u003eforged `POST` data in `GenericInlineModelAdmin`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank N05ec@LZU-DSLab for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdd permissions on inline model instances were not validated on submission of\r\nforged `POST` data in `GenericInlineModelAdmin`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank N05ec@LZU-DSLab for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-122",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-122: Privilege Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:25.547Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-07T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-16T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Privilege abuse in GenericInlineModelAdmin",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-4277",
        "datePublished": "2026-04-07T14:22:25.547Z",
        "dateReserved": "2026-03-16T15:26:08.125Z",
        "dateUpdated": "2026-06-23T15:52:41.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3902 (GCVE-0-2026-3902)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 16:14
    VLAI
    Title
    ASGI header spoofing via underscore/hyphen conflation
    Summary
    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
    Unaffected: 6.0.4 (semver)
    Affected: 5.2 , < 5.2.13 (semver)
    Unaffected: 5.2.13 (semver)
    Affected: 4.2 , < 4.2.30 (semver)
    Unaffected: 4.2.30 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 09:00
    Credits
    Tarek Nakkouch Jacob Walls Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3902",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T16:14:03.870418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T16:14:07.198Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.4",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.4",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.13",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.13",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.30",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.30",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Tarek Nakkouch"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jacob Walls"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-04-07T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003e`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Tarek Nakkouch for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-151",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-151: Identity Spoofing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:07.190Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-23T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-03-10T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-04-07T09:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "ASGI header spoofing via underscore/hyphen conflation",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-3902",
        "datePublished": "2026-04-07T14:22:07.190Z",
        "dateReserved": "2026-03-10T18:33:26.472Z",
        "dateUpdated": "2026-04-07T16:14:07.198Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25674 (GCVE-0-2026-25674)

    Vulnerability from cvelistv5 – Published: 2026-03-03 14:28 – Updated: 2026-03-03 15:27
    VLAI
    Title
    Potential incorrect permissions on newly created file system objects
    Summary
    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.3 (semver)
    Unaffected: 6.0.3 (semver)
    Affected: 5.2 , < 5.2.12 (semver)
    Unaffected: 5.2.12 (semver)
    Affected: 4.2 , < 4.2.29 (semver)
    Unaffected: 4.2.29 (semver)
    Create a notification for this product.
    Date Public
    2026-03-03 08:00
    Credits
    Tarek Nakkouch Natalia Bidart Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25674",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T15:27:07.815602Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T15:27:10.815Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.3",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.12",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.12",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.29",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.29",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Tarek Nakkouch"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Natalia Bidart"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-03-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\u003c/p\u003e\u003cp\u003eRace condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread\u0026#x27;s temporary `umask` change affects other threads in multi-threaded environments.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Tarek Nakkouch for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\nRace condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread\u0027s temporary `umask` change affects other threads in multi-threaded environments.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-26",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-26: Leveraging Race Conditions"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "low"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-03T14:28:37.751Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.3, 5.2.12, and 4.2.29",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/mar/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-20T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-02-20T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-03-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential incorrect permissions on newly created file system objects",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-25674",
        "datePublished": "2026-03-03T14:28:37.751Z",
        "dateReserved": "2026-02-04T18:27:10.658Z",
        "dateUpdated": "2026-03-03T15:27:10.815Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25673 (GCVE-0-2026-25673)

    Vulnerability from cvelistv5 – Published: 2026-03-03 14:28 – Updated: 2026-06-30 03:20
    VLAI
    Title
    Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows
    Summary
    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.3 (semver)
    Unaffected: 6.0.3 (semver)
    Affected: 5.2 , < 5.2.12 (semver)
    Unaffected: 5.2.12 (semver)
    Affected: 4.2 , < 4.2.29 (semver)
    Unaffected: 4.2.29 (semver)
    Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
    Create a notification for this product.
    Red Hat Red Hat Discovery 2     cpe:/a:redhat:discovery:2::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Date Public
    2026-03-03 08:00
    Credits
    Seokchan Yoon Natalia Bidart Natalia Bidart
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25673",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T15:25:53.980126Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T15:26:02.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:discovery:2::el9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Discovery 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-03-03T14:28:28.601Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Django. A remote attacker can exploit a vulnerability in the `URLField.to_python()` function, specifically when Django is running on the Windows platform. This function, which utilizes `urllib.parse.urlsplit()`, performs a disproportionately slow normalization process for certain Unicode characters. By submitting large URL inputs containing these characters, an attacker can trigger a denial of service (DoS)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T03:20:03.461Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-25673"
              },
              {
                "name": "RHBZ#2444115",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444115"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25673.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-03-03T15:01:31.969Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-03-03T14:28:28.601Z",
                "value": "Made public."
              }
            ],
            "title": "django: Django: Denial of Service via slow URL normalization on Windows",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.3",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.12",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.12",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.29",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.29",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Seokchan Yoon"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Natalia Bidart"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Natalia Bidart"
            }
          ],
          "datePublic": "2026-03-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\u003c/p\u003e\u003cp\u003e`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\n`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-227",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-227: Sustained Client Engagement"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "moderate"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-03T14:28:28.601Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.3, 5.2.12, and 4.2.29",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/mar/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-27T12:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2026-02-20T12:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-03-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2026-25673",
        "datePublished": "2026-03-03T14:28:28.601Z",
        "dateReserved": "2026-02-04T18:27:10.657Z",
        "dateUpdated": "2026-06-30T03:20:03.461Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }