SB2026050601 - Ubuntu update for python-django

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050601

SB2026050601 - Ubuntu update for python-django

Published: May 6, 2026

Security Bulletin ID SB2026050601
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Session Fixation (CVE-ID: CVE-2026-35192)

The vulnerability allows a remote attacker to steal a user's session.

The vulnerability exists due to improper session handling in cached public pages when a session is not modified and SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can leverage a cached public page visit by the victim to steal a user's session.

User interaction is required because the victim must visit a cached public page.


2) Input validation error (CVE-ID: CVE-2026-5766)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ASGI request handling when processing file uploads with a missing or understated Content-Length header. A remote attacker can send a specially crafted request to cause a denial of service.

Large uploaded files may be loaded into memory, causing service degradation.


3) Use of Web Browser Cache Containing Sensitive Information (CVE-ID: CVE-2026-6907)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper cache handling in django.middleware.cache.UpdateCacheMiddleware when processing responses whose Vary header contains an asterisk ('*'). A remote attacker can trigger caching of private data to disclose sensitive information.

Private data may be stored in the cache and later served to other users.


Remediation

Install update from vendor's website.

References