Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/python-django@3:5.2.14-2
purl pkg:deb/debian/python-django@3:5.2.14-2
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (8)
Vulnerability Summary Aliases
VCID-2as8-7qx6-2kba django: Django: Information disclosure via improper handling of Vary header whitespace BIT-django-2026-48587
CVE-2026-48587
PYSEC-2026-198
VCID-4gpn-bf2d-ybfb python-django: Django: Information disclosure via non-injective cookie salt derivation BIT-django-2026-6873
CVE-2026-6873
PYSEC-2026-199
VCID-55xg-pw9n-zkdy django: Django: Information disclosure due to improper caching of authenticated responses BIT-django-2026-35193
CVE-2026-35193
PYSEC-2026-197
VCID-abpe-htm1-9ubp An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue. BIT-django-2026-35192
CVE-2026-35192
GHSA-7h2m-m8vj-598h
PYSEC-2026-50
VCID-eqsc-axng-ckca An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue. BIT-django-2026-6907
CVE-2026-6907
GHSA-5hrc-gvxj-w55p
PYSEC-2026-55
VCID-fsz5-dkw2-hyap Django: Django: Information disclosure due to improper handling of Cache-Control directives BIT-django-2026-8404
CVE-2026-8404
PYSEC-2026-201
VCID-fxuu-kk52-r7ch django: Django: Information disclosure via failed STARTTLS handshake in EmailBackend BIT-django-2026-7666
CVE-2026-7666
PYSEC-2026-200
VCID-m4am-h2ea-3ffr An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue. BIT-django-2026-5766
CVE-2026-5766
GHSA-w26r-rmm8-9c29
PYSEC-2026-54

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-05T20:14:07.292271+00:00 Debian Importer Fixing VCID-abpe-htm1-9ubp https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-05T20:11:17.608498+00:00 Debian Importer Fixing VCID-eqsc-axng-ckca https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-05T19:48:11.335463+00:00 Debian Importer Fixing VCID-4gpn-bf2d-ybfb https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-05T19:42:21.798654+00:00 Debian Importer Fixing VCID-fxuu-kk52-r7ch https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-05T19:20:06.631941+00:00 Debian Importer Fixing VCID-fsz5-dkw2-hyap https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-05T19:18:52.301515+00:00 Debian Importer Fixing VCID-2as8-7qx6-2kba https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-05T19:03:58.980004+00:00 Debian Importer Fixing VCID-m4am-h2ea-3ffr https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T19:43:27.517320+00:00 Debian Importer Fixing VCID-55xg-pw9n-zkdy https://security-tracker.debian.org/tracker/data/json 38.6.0