SB2026070771 - Multiple vulnerabilities in Django
Published: July 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Use of Web Browser Cache Containing Sensitive Information (CVE-ID: CVE-2026-48588)
CWE-ID: CWE-525 - Use of Web Browser Cache Containing Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to expose private data via cached responses.
The vulnerability exists due to improper cache handling in django.middleware.cache.UpdateCacheMiddleware and django.views.decorators.cache.cache_page when processing requests that already contain unrelated cookies. A remote attacker can send a request with an unrelated cookie to expose private data via cached responses.
The issue occurs when a response sets a cookie while varying on Cookie.
2) Out-of-bounds read (CVE-ID: CVE-2026-53877)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to a heap-based buffer overflow in django.contrib.gis.gdal.GDALRaster vsi_buffer handling when parsing a bytes object representing a raster file. A local user can supply a crafted raster bytes object to disclose sensitive information.
Only rasters stored in GDAL's virtual filesystem are affected, and the issue may also cause a segmentation fault in rare cases.
3) Input validation error (CVE-ID: CVE-2026-53878)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject HTTP headers.
The vulnerability exists due to improper input validation in django.core.validators.DomainNameValidator when validating domain names containing newline characters. A remote user can supply a domain name containing newlines to inject HTTP headers.
The issue only affects uses of DomainNameValidator outside Django form fields, as CharField strips newlines by default. Django's HttpResponse itself prohibits newlines in HTTP headers.
Remediation
Install update from vendor's website.
References
- https://www.djangoproject.com/weblog/2026/jul/07/security-releases/
- https://github.com/django/django/commit/64f9a2b2283fde3ec69fb0dfe441cf0f6f411ba3
- https://github.com/django/django/commit/38dfbd27d7d4f4e6eaa087d7a90f2613fbf55b3a
- https://github.com/django/django/commit/a5de13f1491f1dbf2bb0ad9b91570524ebbc8acd