summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJacob Walls <jacobtylerwalls@gmail.com>2026-03-16 18:05:22 -0400
committerJacob Walls <jacobtylerwalls@gmail.com>2026-04-07 07:21:29 -0400
commit428c48f358c5a0ed5ca2834fb721d615eb2b0e11 (patch)
tree0738e9487163cfaafa0be6402f78f031a88825ce /docs
parent08a752c1cd8f378b4c64d96c319da23726df6ed3 (diff)
[6.0.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable.
Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.30.txt10
-rw-r--r--docs/releases/5.2.13.txt10
-rw-r--r--docs/releases/6.0.4.txt10
3 files changed, 30 insertions, 0 deletions
diff --git a/docs/releases/4.2.30.txt b/docs/releases/4.2.30.txt
index a6d2deef3c..de19a6f08f 100644
--- a/docs/releases/4.2.30.txt
+++ b/docs/releases/4.2.30.txt
@@ -36,3 +36,13 @@ forged ``POST`` data in
This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.
+
+CVE-2026-4292: Privilege abuse in ``ModelAdmin.list_editable``
+==============================================================
+
+Admin changelist forms using
+:attr:`~django.contrib.admin.ModelAdmin.list_editable` incorrectly allowed new
+instances to be created via forged ``POST`` data.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/5.2.13.txt b/docs/releases/5.2.13.txt
index 8b03103508..8b303f2700 100644
--- a/docs/releases/5.2.13.txt
+++ b/docs/releases/5.2.13.txt
@@ -36,3 +36,13 @@ forged ``POST`` data in
This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.
+
+CVE-2026-4292: Privilege abuse in ``ModelAdmin.list_editable``
+==============================================================
+
+Admin changelist forms using
+:attr:`~django.contrib.admin.ModelAdmin.list_editable` incorrectly allowed new
+instances to be created via forged ``POST`` data.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/6.0.4.txt b/docs/releases/6.0.4.txt
index 73b08436c1..4287a3086a 100644
--- a/docs/releases/6.0.4.txt
+++ b/docs/releases/6.0.4.txt
@@ -37,6 +37,16 @@ forged ``POST`` data in
This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.
+CVE-2026-4292: Privilege abuse in ``ModelAdmin.list_editable``
+==============================================================
+
+Admin changelist forms using
+:attr:`~django.contrib.admin.ModelAdmin.list_editable` incorrectly allowed new
+instances to be created via forged ``POST`` data.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
Bugfixes
========
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 20:02:08 +0000