5.3
CVE-2026-48587
- EPSS 0.35%
- Veröffentlicht 03.06.2026 14:16:44
- Zuletzt bearbeitet 05.06.2026 13:03:01
- Quelle 6a34fbeb-21d4-45e7-8e0a-62b95b
- CVE-Watchlists
- Unerledigt
Potential exposure of private data via whitespace padding in Vary header
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Djangoproject ≫ Django Version >= 5.2 < 5.2.15
Djangoproject ≫ Django Version >= 6.0 < 6.0.6
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.271 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | 2.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
|
CWE-1023 Incomplete Comparison with Missing Factors
The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/