diff options
| -rw-r--r-- | docs/releases/security.txt | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/docs/releases/security.txt b/docs/releases/security.txt index 24a1549007..bec0ed56b0 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -36,6 +36,63 @@ Issues under Django's security process All security issues have been handled under versions of Django's security process. These are listed below. +April 7, 2026 - :cve:`2026-3902` +-------------------------------- + +ASGI header spoofing via underscore/hyphen conflation. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <a623c3982857e80324448f85c7faf9a6710330ef>` +* Django 5.2 :commit:`(patch) <1cc2a7612f97c109b92415fc11ba9bd0501852e0>` +* Django 4.2 :commit:`(patch) <4412731aa64d62a6dd7edae79e0c15b72666d7ca>` + +April 7, 2026 - :cve:`2026-4277` +-------------------------------- + +Privilege abuse in ``GenericInlineModelAdmin``. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <08a752c1cd8f378b4c64d96c319da23726df6ed3>` +* Django 5.2 :commit:`(patch) <60ffa957c427e10a2eb0fc80d1674a8a8ccc30b0>` +* Django 4.2 :commit:`(patch) <051f3909e820360bbe84a21350e82f4961e3d917>` + +April 7, 2026 - :cve:`2026-4292` +-------------------------------- + +Privilege abuse in ``ModelAdmin.list_editable``. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <428c48f358c5a0ed5ca2834fb721d615eb2b0e11>` +* Django 5.2 :commit:`(patch) <397c22048244db2cd4bb78f570e6c72a3967bf36>` +* Django 4.2 :commit:`(patch) <abfe1a1c57a57cfaf6dd4a0571c029401a0fe743>` + +April 7, 2026 - :cve:`2026-33033` +--------------------------------- + +Potential denial-of-service vulnerability in ``MultiPartParser`` via +base64-encoded file upload. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <0910af60468216c856dfbcac1177372c225deb76>` +* Django 5.2 :commit:`(patch) <0b467893bdde69a2d23034338e76021a1e4f4322>` +* Django 4.2 :commit:`(patch) <f13c20f81b56108ac477213fa5ada2524b5e5c98>` + +April 7, 2026 - :cve:`2026-33034` +--------------------------------- + +Potential denial-of-service vulnerability in ASGI requests via memory upload +limit bypass. +`Full description +<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__ + +* Django 6.0 :commit:`(patch) <393dbc53e848876fdba92fbf02e10ee6a6eace6b>` +* Django 5.2 :commit:`(patch) <49e1e2b548999a35a025f9682598946bda9e9921>` +* Django 4.2 :commit:`(patch) <ed4dfda62718a0bb644b80ac8b1d3099861f2295>` + March 3, 2026 - :cve:`2026-25673` --------------------------------- |