6.1

CVE-2026-53878

Header injection possibility since DomainNameValidator accepted newlines in input

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.
`DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Bence Nagy for reporting this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DjangoprojectDjango Version >= 5.2 < 5.2.16
DjangoprojectDjango Version >= 6.0 < 6.0.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.22% 0.121
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 5.3 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-144 Improper Neutralization of Line Delimiters

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.

https://docs.djangoproject.com/en/dev/releases/security/
Patch
Vendor Advisory
https://groups.google.com/g/django-announce
Release Notes
https://www.djangoproject.com/weblog/2026/jul/07/security-releases/
Patch
Vendor Advisory