Improper Handling of Length Parameter Inconsistency
CWE-130 | CVE-2026-5766 | CVSS 6.3
Detailed paths and remediation
-
Introduced through: root@0.0.0 › django@5.2.13
Fix: Upgrade django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › dj-database-url@2.3.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › django-deprecate-fields@0.2.3 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › django-migration-linter@5.2.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › django-structlog@9.1.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › drf-spectacular-sidecar@2026.4.14 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency in the handling of ASGI requests when the Content-Length header is missing or understated. An attacker can cause excessive memory usage and degrade service availability by uploading large files that bypass configured upload limits.L
Use of Cache Containing Sensitive Information
CWE-524 | CVE-2026-6907 | CVSS 2.3
Detailed paths and remediation
-
Introduced through: root@0.0.0 › django@5.2.13
Fix: Upgrade django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › dj-database-url@2.3.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › django-deprecate-fields@0.2.3 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › django-migration-linter@5.2.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › django-structlog@9.1.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › drf-spectacular-sidecar@2026.4.14 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the UpdateCacheMiddleware middleware. An attacker can access private data belonging to other users by exploiting incorrect handling of the Vary: * header, which causes improper caching of responses.
Use of Persistent Cookies Containing Sensitive Information
CWE-539 | CVE-2026-35192 | CVSS 2.3
Detailed paths and remediation
-
Introduced through: root@0.0.0 › django@5.2.13
Fix: Upgrade django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › dj-database-url@2.3.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › django-deprecate-fields@0.2.3 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › django-migration-linter@5.2.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › django-structlog@9.1.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › drf-spectacular-sidecar@2026.4.14 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
-
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Use of Persistent Cookies Containing Sensitive Information in the SESSION_SAVE_EVERY_REQUEST. An attacker can hijack a user's session by exploiting public cached pages that do not vary response headers on cookies if the session is not modified and SESSION_SAVE_EVERY_REQUEST=True.
Fix:
Upgrading to django@5.2.14 fixes all 3 issues.
We will upgrade to django 6 in a later ticket
QA Notes
null
DEV Notes
null
Design
null
See full ticket and images here: FECFILE-3125
Pull Request: #2054
Improper Handling of Length Parameter Inconsistency
CWE-130 | CVE-2026-5766 | CVSS 6.3
Detailed paths and remediation
Introduced through: root@0.0.0 › django@5.2.13
Fix: Upgrade django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › dj-database-url@2.3.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › django-deprecate-fields@0.2.3 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › django-migration-linter@5.2.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › django-structlog@9.1.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › drf-spectacular-sidecar@2026.4.14 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency in the handling of ASGI requests when the
Content-Lengthheader is missing or understated. An attacker can cause excessive memory usage and degrade service availability by uploading large files that bypass configured upload limits.LUse of Cache Containing Sensitive Information
CWE-524 | CVE-2026-6907 | CVSS 2.3
Detailed paths and remediation
Introduced through: root@0.0.0 › django@5.2.13
Fix: Upgrade django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › dj-database-url@2.3.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › django-deprecate-fields@0.2.3 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › django-migration-linter@5.2.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › django-structlog@9.1.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › drf-spectacular-sidecar@2026.4.14 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the
UpdateCacheMiddlewaremiddleware. An attacker can access private data belonging to other users by exploiting incorrect handling of theVary: *header, which causes improper caching of responses.Use of Persistent Cookies Containing Sensitive Information
CWE-539 | CVE-2026-35192 | CVSS 2.3
Detailed paths and remediation
Introduced through: root@0.0.0 › django@5.2.13
Fix: Upgrade django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › dj-database-url@2.3.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › django-deprecate-fields@0.2.3 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › django-migration-linter@5.2.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › django-structlog@9.1.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › drf-spectacular-sidecar@2026.4.14 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Introduced through: root@0.0.0 › drf-spectacular@0.29.0 › djangorestframework@3.17.1 › django@5.2.13
Fix: Pin django to version 5.2.14 or 6.0.5
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Use of Persistent Cookies Containing Sensitive Information in the
SESSION_SAVE_EVERY_REQUEST. An attacker can hijack a user's session by exploiting public cached pages that do not vary response headers on cookies if the session is not modified andSESSION_SAVE_EVERY_REQUEST=True.Fix:
Upgrading to django@5.2.14 fixes all 3 issues.
We will upgrade to django 6 in a later ticket
QA Notes
null
DEV Notes
null
Design
null
See full ticket and images here: FECFILE-3125
Pull Request: #2054