summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/5.2.14.txt14
-rw-r--r--docs/releases/6.0.5.txt14
2 files changed, 28 insertions, 0 deletions
diff --git a/docs/releases/5.2.14.txt b/docs/releases/5.2.14.txt
index 681687efb1..0722e80a95 100644
--- a/docs/releases/5.2.14.txt
+++ b/docs/releases/5.2.14.txt
@@ -5,3 +5,17 @@ Django 5.2.14 release notes
*May 5, 2026*
Django 5.2.14 fixes three security issues with severity "low" in 5.2.13.
+
+CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
+======================================================================================================
+
+ASGI requests with a missing or understated ``Content-Length`` header could
+bypass the :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading
+large files into memory and causing service degradation.
+
+As a reminder, Django :ref:`expects a limit to be configured
+<user-uploaded-content-security>` at the web server level rather than solely
+relying on :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/6.0.5.txt b/docs/releases/6.0.5.txt
index 1e7e1b2c3b..8613b604fb 100644
--- a/docs/releases/6.0.5.txt
+++ b/docs/releases/6.0.5.txt
@@ -7,6 +7,20 @@ Django 6.0.5 release notes
Django 6.0.5 fixes three security issues with severity "low" and several bugs
in 6.0.4.
+CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
+======================================================================================================
+
+ASGI requests with a missing or understated ``Content-Length`` header could
+bypass the :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading
+large files into memory and causing service degradation.
+
+As a reminder, Django :ref:`expects a limit to be configured
+<user-uploaded-content-security>` at the web server level rather than solely
+relying on :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
Bugfixes
========