From 346a55ced8e8f7b5bc8fe03ecbd4116050f11e2a Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Tue, 3 Mar 2026 11:03:22 -0300
Subject: [5.2.x] Added CVE-2026-25673 and CVE-2026-25674 to security archive.

Backport of 62ab467686845e2a12a2580997a81d4bf61edfc6 from main.
---
 docs/releases/security.txt | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index 1c46b152de..892451723e 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -36,6 +36,29 @@ Issues under Django's security process
 All security issues have been handled under versions of Django's security
 process. These are listed below.
 
+March 3, 2026 - :cve:`2026-25673`
+---------------------------------
+
+Potential denial-of-service vulnerability in ``URLField`` via Unicode
+normalization on Windows.
+`Full description
+<https://www.djangoproject.com/weblog/2026/mar/03/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <b1444d9acf43db9de96e0da2b4737ad56af0eb76>`
+* Django 5.2 :commit:`(patch) <4d3c184686626d224d9a87451410ecf802b41f7c>`
+* Django 4.2 :commit:`(patch) <b3e8ec8cc310489fe80174b14b11edb970d682ea>`
+
+March 3, 2026 - :cve:`2026-25674`
+---------------------------------
+
+Potential incorrect permissions on newly created file system objects.
+`Full description
+<https://www.djangoproject.com/weblog/2026/mar/03/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <264d5c70ef3281a8869cb2ad45a3a52d5adbe790>`
+* Django 5.2 :commit:`(patch) <b07ed2a1e445efde54fc64cb8c37e0f4f7fe53e5>`
+* Django 4.2 :commit:`(patch) <54b50bf7d6dcbf02d4c01f853627cc9299d4934d>`
+
 February 3, 2026 - :cve:`2025-13473`
 ------------------------------------
 
-- 
cgit v1.3