diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-03-16 18:05:22 -0400 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-07 07:12:20 -0400 |
| commit | 6afe7ce93964f56e33a29d477c269436f9b60cbf (patch) | |
| tree | c17401bca74e97de72def6c67a323ff0c27b94f3 /docs/releases | |
| parent | ef8b25dcc06d158683a5623ce406d561638f4073 (diff) | |
Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable.
Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/4.2.30.txt | 10 | ||||
| -rw-r--r-- | docs/releases/5.2.13.txt | 10 | ||||
| -rw-r--r-- | docs/releases/6.0.4.txt | 10 |
3 files changed, 30 insertions, 0 deletions
diff --git a/docs/releases/4.2.30.txt b/docs/releases/4.2.30.txt index a6d2deef3c..de19a6f08f 100644 --- a/docs/releases/4.2.30.txt +++ b/docs/releases/4.2.30.txt @@ -36,3 +36,13 @@ forged ``POST`` data in This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2026-4292: Privilege abuse in ``ModelAdmin.list_editable`` +============================================================== + +Admin changelist forms using +:attr:`~django.contrib.admin.ModelAdmin.list_editable` incorrectly allowed new +instances to be created via forged ``POST`` data. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. diff --git a/docs/releases/5.2.13.txt b/docs/releases/5.2.13.txt index 8b03103508..8b303f2700 100644 --- a/docs/releases/5.2.13.txt +++ b/docs/releases/5.2.13.txt @@ -36,3 +36,13 @@ forged ``POST`` data in This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2026-4292: Privilege abuse in ``ModelAdmin.list_editable`` +============================================================== + +Admin changelist forms using +:attr:`~django.contrib.admin.ModelAdmin.list_editable` incorrectly allowed new +instances to be created via forged ``POST`` data. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. diff --git a/docs/releases/6.0.4.txt b/docs/releases/6.0.4.txt index 73b08436c1..4287a3086a 100644 --- a/docs/releases/6.0.4.txt +++ b/docs/releases/6.0.4.txt @@ -37,6 +37,16 @@ forged ``POST`` data in This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. +CVE-2026-4292: Privilege abuse in ``ModelAdmin.list_editable`` +============================================================== + +Admin changelist forms using +:attr:`~django.contrib.admin.ModelAdmin.list_editable` incorrectly allowed new +instances to be created via forged ``POST`` data. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. + Bugfixes ======== |