diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-07 08:51:05 -0400 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-07 08:51:52 -0400 |
| commit | e0936eef0c31e1ba6f7783403c4301080541fecc (patch) | |
| tree | 7fc7d5bc5d13656828461e92c8607f736c390550 | |
| parent | d22d35b9620fcfe2a72b6abfe67c0f3a0209d3d7 (diff) | |
[6.0.x] Added CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, and CVE-2026-33034 to security archive.
Backport of 3330dc2dd97f60ab32d3c912d2649859d063265c from main.
| -rw-r--r-- | docs/releases/security.txt | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/docs/releases/security.txt b/docs/releases/security.txt index acab6487a7..b689d90f1d 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -36,6 +36,63 @@ Issues under Django's security process All security issues have been handled under versions of Django's security process. These are listed below. +April 7, 2026 - :cve:`2026-3902` +-------------------------------- + +ASGI header spoofing via underscore/hyphen conflation. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <a623c3982857e80324448f85c7faf9a6710330ef>` +* Django 5.2 :commit:`(patch) <1cc2a7612f97c109b92415fc11ba9bd0501852e0>` +* Django 4.2 :commit:`(patch) <4412731aa64d62a6dd7edae79e0c15b72666d7ca>` + +April 7, 2026 - :cve:`2026-4277` +-------------------------------- + +Privilege abuse in ``GenericInlineModelAdmin``. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <08a752c1cd8f378b4c64d96c319da23726df6ed3>` +* Django 5.2 :commit:`(patch) <60ffa957c427e10a2eb0fc80d1674a8a8ccc30b0>` +* Django 4.2 :commit:`(patch) <051f3909e820360bbe84a21350e82f4961e3d917>` + +April 7, 2026 - :cve:`2026-4292` +-------------------------------- + +Privilege abuse in ``ModelAdmin.list_editable``. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <428c48f358c5a0ed5ca2834fb721d615eb2b0e11>` +* Django 5.2 :commit:`(patch) <397c22048244db2cd4bb78f570e6c72a3967bf36>` +* Django 4.2 :commit:`(patch) <abfe1a1c57a57cfaf6dd4a0571c029401a0fe743>` + +April 7, 2026 - :cve:`2026-33033` +--------------------------------- + +Potential denial-of-service vulnerability in ``MultiPartParser`` via +base64-encoded file upload. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <0910af60468216c856dfbcac1177372c225deb76>` +* Django 5.2 :commit:`(patch) <0b467893bdde69a2d23034338e76021a1e4f4322>` +* Django 4.2 :commit:`(patch) <f13c20f81b56108ac477213fa5ada2524b5e5c98>` + +April 7, 2026 - :cve:`2026-33034` +--------------------------------- + +Potential denial-of-service vulnerability in ASGI requests via memory upload +limit bypass. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <393dbc53e848876fdba92fbf02e10ee6a6eace6b>` +* Django 5.2 :commit:`(patch) <49e1e2b548999a35a025f9682598946bda9e9921>` +* Django 4.2 :commit:`(patch) <ed4dfda62718a0bb644b80ac8b1d3099861f2295>` + March 3, 2026 - :cve:`2026-25673` --------------------------------- |