5.3

CVE-2026-48588

Potential exposure of private data via cached Set-Cookie response

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.
`UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Chris Whyland for reporting this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DjangoprojectDjango Version >= 5.2 < 5.2.16
DjangoprojectDjango Version >= 6.0 < 6.0.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.38% 0.296
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 2.3 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 3.1 1.6 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CWE-524 Use of Cache Containing Sensitive Information

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

https://docs.djangoproject.com/en/dev/releases/security/
Patch
Vendor Advisory
https://groups.google.com/g/django-announce
Release Notes
https://www.djangoproject.com/weblog/2026/jul/07/security-releases/
Patch
Vendor Advisory