Django Releases Address Security Vulnerabilities
Django has released versions 6.0.7 and 5.2.16 to fix three low-severity security vulnerabilities. These issues could potentially lead to private data exposure, heap buffer over-reads, or header injection attacks. All users of supported Django versions are strongly encouraged to upgrade to the patched releases.
- →CVE-2026-48588: Private data exposure via cached Set-Cookie
- →CVE-2026-53877: Heap buffer over-read in GDALRaster
- →CVE-2026-53878: Header injection via DomainNameValidator
- →Patched releases available for Django 6.0.7 and 5.2.16
Security (3) ›
- CVE-2026-48588: Private data exposure via cached Set-Cookie
A flaw in `UpdateCacheMiddleware` and `cache_page` could store sensitive cookies in Django's shared cache when varying on the Cookie header, if the request contained unrelated cookies. This vulnerability has a severity of 'low'.
- CVE-2026-53877: Heap buffer over-read in GDALRaster
The `GDALRaster` in `django.contrib.gis.gdal` could over-read allocated buffers by approximately 32 bytes when instantiated with a bytes object representing a raster file. This could lead to information disclosure or a segmentation fault, affecting only rasters in GDAL's virtual filesystem and rated 'low' severity.
- CVE-2026-53878: Header injection via DomainNameValidator
The `DomainNameValidator` accepted newline characters in domain names, potentially enabling header injection attacks if such values were used in HTTP responses. Django itself is not vulnerable due to `HttpResponse` prohibiting newlines in headers, and this affects only external uses of the validator. The severity is rated 'low'.
Notes (1) ›
- Patched releases available for Django 6.0.7 and 5.2.16
Patches addressing these security issues have been applied to the main, 6.1 (beta), 6.0, and 5.2 branches. The specific releases issued are Django 6.0.7 and Django 5.2.16.
https://www.djangoproject.com/weblog/2026/jul/07/security-releases/