Input validation error in Django - CVE-2026-53878

 

Input validation error in Django - CVE-2026-53878

Published: July 7, 2026


Vulnerability identifier: #VU137030
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-53878
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Django Software Foundation
Affected software:
Django

Detailed vulnerability description

The vulnerability allows a remote user to inject HTTP headers.

The vulnerability exists due to improper input validation in django.core.validators.DomainNameValidator when validating domain names containing newline characters. A remote user can supply a domain name containing newlines to inject HTTP headers.

The issue only affects uses of DomainNameValidator outside Django form fields, as CharField strips newlines by default. Django's HttpResponse itself prohibits newlines in HTTP headers.


How to mitigate CVE-2026-53878

Install security update from vendor's website.

Sources