CVE-2026-53878
- EPSS 0.22%
- Veröffentlicht 07.07.2026 14:10:29
- Zuletzt bearbeitet 09.07.2026 12:58:17
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines ...
CVE-2026-53877
- EPSS 0.29%
- Veröffentlicht 07.07.2026 14:10:04
- Zuletzt bearbeitet 09.07.2026 12:59:39
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a...
CVE-2026-48588
- EPSS 0.38%
- Veröffentlicht 07.07.2026 14:09:32
- Zuletzt bearbeitet 09.07.2026 13:01:25
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers...
CVE-2026-7666
- EPSS 0.15%
- Veröffentlicht 03.06.2026 14:16:47
- Zuletzt bearbeitet 05.06.2026 12:46:04
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=Tru...
CVE-2026-8404
- EPSS 0.29%
- Veröffentlicht 03.06.2026 14:16:47
- Zuletzt bearbeitet 05.06.2026 12:38:18
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses...
CVE-2026-6873
- EPSS 0.25%
- Veröffentlicht 03.06.2026 14:16:46
- Zuletzt bearbeitet 05.06.2026 12:58:16
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to ...
CVE-2026-48587
- EPSS 0.35%
- Veröffentlicht 03.06.2026 14:16:44
- Zuletzt bearbeitet 05.06.2026 13:03:01
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attacke...
CVE-2026-35193
- EPSS 0.36%
- Veröffentlicht 03.06.2026 14:16:41
- Zuletzt bearbeitet 05.06.2026 13:03:52
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: pu...
CVE-2026-6907
- EPSS 0.36%
- Veröffentlicht 05.05.2026 16:16:18
- Zuletzt bearbeitet 07.05.2026 14:16:04
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and serve...
CVE-2026-5766
- EPSS 0.42%
- Veröffentlicht 05.05.2026 16:16:17
- Zuletzt bearbeitet 07.05.2026 14:16:39
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service...