1 files changed, 22 insertions, 0 deletions

diff --git a/docs/releases/5.2.12.txt b/docs/releases/5.2.12.txt
index 9cbbf3836a..be2c7bc807 100644
--- a/docs/releases/5.2.12.txt
+++ b/docs/releases/5.2.12.txt
@@ -8,6 +8,28 @@ Django 5.2.12 fixes a security issue with severity "moderate" and a security
 issue with severity "low" in 5.2.11. It also fixes one bug related to support
 for Python 3.14.
 
+CVE-2026-25673: Potential denial-of-service vulnerability in ``URLField`` via Unicode normalization on Windows
+==============================================================================================================
+
+The :class:`~django.forms.URLField` form field's ``to_python()`` method used
+:func:`~urllib.parse.urlsplit` to determine whether to prepend a URL scheme to
+the submitted value. On Windows, ``urlsplit()`` performs
+:func:`NFKC normalization <python:unicodedata.normalize>`, which can be
+disproportionately slow for large inputs containing certain characters.
+
+``URLField.to_python()`` now uses a simplified scheme detection, avoiding
+Unicode normalization entirely and deferring URL validation to the appropriate
+layers. As a result, while leading and trailing whitespace is still stripped by
+default, characters such as newlines, tabs, and other control characters within
+the value are no longer handled by ``URLField.to_python()``. When using the
+default :class:`~django.core.validators.URLValidator`, these values will
+continue to raise :exc:`~django.core.exceptions.ValidationError` during
+validation, but if you rely on custom validators, ensure they do not depend on
+the previous behavior of ``URLField.to_python()``.
+
+This issue has severity "moderate" according to the :ref:`Django security
+policy <security-disclosure>`.
+
 Bugfixes
 ========