SB2026051318 - Fedora 44 update for python-django5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026051318

SB2026051318 - Fedora 44 update for python-django5

Published: May 13, 2026

Security Bulletin ID SB2026051318
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-5766)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ASGI request handling when processing file uploads with a missing or understated Content-Length header. A remote attacker can send a specially crafted request to cause a denial of service.

Large uploaded files may be loaded into memory, causing service degradation.


2) Session Fixation (CVE-ID: CVE-2026-35192)

CWE-ID: CWE-384 - Session Fixation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to steal a user's session.

The vulnerability exists due to improper session handling in cached public pages when a session is not modified and SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can leverage a cached public page visit by the victim to steal a user's session.

User interaction is required because the victim must visit a cached public page.


3) Use of Web Browser Cache Containing Sensitive Information (CVE-ID: CVE-2026-6907)

CWE-ID: CWE-525 - Use of Web Browser Cache Containing Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper cache handling in django.middleware.cache.UpdateCacheMiddleware when processing responses whose Vary header contains an asterisk ('*'). A remote attacker can trigger caching of private data to disclose sensitive information.

Private data may be stored in the cache and later served to other users.


4) Improper input validation (CVE-ID: CVE-2026-3902)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to spoof security-sensitive headers.

The vulnerability exists due to improper input validation in ASGIRequest when processing request headers. A remote attacker can supply a header name with underscores to spoof security-sensitive headers.

This issue affects ASGI deployments where hyphenated and underscored header names may be treated ambiguously.


5) Improper access control (CVE-ID: CVE-2026-4277)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to create inline model instances without proper add permissions.

The vulnerability exists due to improper access control in GenericInlineModelAdmin when processing forged POST data. A remote user can submit forged POST data to create inline model instances without proper add permissions.


6) Improper access control (CVE-ID: CVE-2026-4292)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to create new instances through admin changelist forms.

The vulnerability exists due to improper access control in ModelAdmin.list_editable when processing forged POST data. A remote user can submit forged POST data to create new instances through admin changelist forms.


7) Resource exhaustion (CVE-ID: CVE-2026-33033)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in django.http.multipartparser.MultiPartParser when processing multipart uploads with base64-encoded files containing excessive whitespace. A remote attacker can send a specially crafted multipart upload to cause a denial of service.

The issue may trigger repeated memory copying and degrade performance.


8) Improper input validation (CVE-ID: CVE-2026-33034)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ASGI request handling when reading HttpRequest.body from requests with a missing or understated Content-Length header. A remote attacker can send a specially crafted request to cause a denial of service.

The issue can bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit and load an unbounded request body into memory.


9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-25674)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to alter application behavior. 

The vulnerability exists due to incorrect permissions set for newly created directories. A local user can potentially write files into the directory before proper permissions are applied. 


Remediation

Install update from vendor's website.

References