Input validation error in Django - CVE-2026-53878
Published: July 7, 2026
Django
Detailed vulnerability description
The vulnerability allows a remote user to inject HTTP headers.
The vulnerability exists due to improper input validation in django.core.validators.DomainNameValidator when validating domain names containing newline characters. A remote user can supply a domain name containing newlines to inject HTTP headers.
The issue only affects uses of DomainNameValidator outside Django form fields, as CharField strips newlines by default. Django's HttpResponse itself prohibits newlines in HTTP headers.