SB2026070771 - Multiple vulnerabilities in Django



SB2026070771 - Multiple vulnerabilities in Django

Published: July 7, 2026

Security Bulletin ID SB2026070771
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Use of Web Browser Cache Containing Sensitive Information (CVE-ID: CVE-2026-48588)

CWE-ID: CWE-525 - Use of Web Browser Cache Containing Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to expose private data via cached responses.

The vulnerability exists due to improper cache handling in django.middleware.cache.UpdateCacheMiddleware and django.views.decorators.cache.cache_page when processing requests that already contain unrelated cookies. A remote attacker can send a request with an unrelated cookie to expose private data via cached responses.

The issue occurs when a response sets a cookie while varying on Cookie.


2) Out-of-bounds read (CVE-ID: CVE-2026-53877)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to a heap-based buffer overflow in django.contrib.gis.gdal.GDALRaster vsi_buffer handling when parsing a bytes object representing a raster file. A local user can supply a crafted raster bytes object to disclose sensitive information.

Only rasters stored in GDAL's virtual filesystem are affected, and the issue may also cause a segmentation fault in rare cases.


3) Input validation error (CVE-ID: CVE-2026-53878)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject HTTP headers.

The vulnerability exists due to improper input validation in django.core.validators.DomainNameValidator when validating domain names containing newline characters. A remote user can supply a domain name containing newlines to inject HTTP headers.

The issue only affects uses of DomainNameValidator outside Django form fields, as CharField strips newlines by default. Django's HttpResponse itself prohibits newlines in HTTP headers.


Remediation

Install update from vendor's website.