CVE-2026-25673 (GCVE-0-2026-25673)

Vulnerability from cvelistv5 – Published: 2026-03-03 14:28 – Updated: 2026-06-30 03:20
VLAI
Title
Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows
Summary
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
DSF
Impacted products
Vendor Product Version
djangoproject Django Affected: 6.0 , < 6.0.3 (semver)
Unaffected: 6.0.3 (semver)
Affected: 5.2 , < 5.2.12 (semver)
Unaffected: 5.2.12 (semver)
Affected: 4.2 , < 4.2.29 (semver)
Unaffected: 4.2.29 (semver)
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
Create a notification for this product.
Red Hat Red Hat Discovery 2     cpe:/a:redhat:discovery:2::el9
Create a notification for this product.
Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
Create a notification for this product.
Date Public
2026-03-03 08:00
Credits
Seokchan Yoon Natalia Bidart Natalia Bidart
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25673",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-03T15:25:53.980126Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T15:26:02.764Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:discovery:2::el9"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Discovery 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-03-03T14:28:28.601Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Django. A remote attacker can exploit a vulnerability in the `URLField.to_python()` function, specifically when Django is running on the Windows platform. This function, which utilizes `urllib.parse.urlsplit()`, performs a disproportionately slow normalization process for certain Unicode characters. By submitting large URL inputs containing these characters, an attacker can trigger a denial of service (DoS)."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T03:20:03.461Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-25673"
          },
          {
            "name": "RHBZ#2444115",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444115"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25673.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-03-03T15:01:31.969Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-03-03T14:28:28.601Z",
            "value": "Made public."
          }
        ],
        "title": "django: Django: Denial of Service via slow URL normalization on Windows",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.3",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.12",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.12",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.29",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.29",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Seokchan Yoon"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Natalia Bidart"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-03-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\u003c/p\u003e\u003cp\u003e`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\n`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-227",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-227: Sustained Client Engagement"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "moderate"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-03T14:28:28.601Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.3, 5.2.12, and 4.2.29",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/mar/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-27T12:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-02-20T12:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-03-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-25673",
    "datePublished": "2026-03-03T14:28:28.601Z",
    "dateReserved": "2026-02-04T18:27:10.657Z",
    "dateUpdated": "2026-06-30T03:20:03.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-25673",
      "date": "2026-07-08",
      "epss": "0.00734",
      "percentile": "0.49972"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25673\",\"sourceIdentifier\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"published\":\"2026-03-03T15:16:19.103\",\"lastModified\":\"2026-06-30T03:17:43.933\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\\n`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\\nDjango would like to thank Seokchan Yoon for reporting this issue.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema en 6.0 anterior a 6.0.3, 5.2 anterior a 5.2.12, y 4.2 anterior a 4.2.29.\\n`URLField.to_python()` en Django llama a `urllib.parse.urlsplit()`, que realiza la normalizaci\u00f3n NFKC en Windows, la cual es desproporcionadamente lenta para ciertos caracteres Unicode, permitiendo a un atacante remoto causar denegaci\u00f3n de servicio a trav\u00e9s de grandes entradas de URL que contienen estos caracteres.\\nSeries de Django anteriores y no compatibles (como 5.0.x, 4.1.x y 3.2.x) no fueron evaluadas y tambi\u00e9n podr\u00edan estar afectadas.\\nDjango desea agradecer a Seokchan Yoon por informar sobre este problema.\"}],\"affected\":[{\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"affectedData\":[{\"vendor\":\"djangoproject\",\"product\":\"Django\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://pypi.org/project/Django/\",\"packageName\":\"django\",\"repo\":\"https://github.com/django/django/\",\"versions\":[{\"version\":\"6.0\",\"lessThan\":\"6.0.3\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"6.0.3\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.2\",\"lessThan\":\"5.2.12\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"5.2.12\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"4.2\",\"lessThan\":\"4.2.29\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.2.29\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Discovery 2\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:discovery:2::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Satellite 6\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:satellite:6\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-03T15:25:53.980126Z\",\"id\":\"CVE-2026-25673\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2.0\",\"versionEndExcluding\":\"4.2.29\",\"matchCriteriaId\":\"DE181B32-2EF8-4AF0-8500-AFF78A7787B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.2\",\"versionEndExcluding\":\"5.2.12\",\"matchCriteriaId\":\"91187FB5-19CD-4A7D-B61B-9BE8374164EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0\",\"versionEndExcluding\":\"6.0.3\",\"matchCriteriaId\":\"6AAF6F95-4E20-4A81-832F-D0E29F7E158E\"}]}]}],\"references\":[{\"url\":\"https://docs.djangoproject.com/en/dev/releases/security/\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://groups.google.com/g/django-announce\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://www.djangoproject.com/weblog/2026/mar/03/security-releases/\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-25673\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2444115\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25673.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"django: Django: Denial of Service via slow URL normalization on Windows\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:discovery:2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Discovery 2\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-03T15:01:31.969Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-03-03T14:28:28.601Z\", \"value\": \"Made public.\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-03-03T14:28:28.601Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-25673\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2444115\", \"name\": \"RHBZ#2444115\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25673.json\", \"tags\": [\"x_sadp-csaf-vex\"]}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in Django. A remote attacker can exploit a vulnerability in the `URLField.to_python()` function, specifically when Django is running on the Windows platform. This function, which utilizes `urllib.parse.urlsplit()`, performs a disproportionately slow normalization process for certain Unicode characters. By submitting large URL inputs containing these characters, an attacker can trigger a denial of service (DoS).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-06-30T02:45:36.694Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25673\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-03T15:25:53.980126Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-03T15:25:39.933Z\"}}], \"cna\": {\"title\": \"Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Seokchan Yoon\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Natalia Bidart\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"Natalia Bidart\"}], \"impacts\": [{\"capecId\": \"CAPEC-227\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-227: Sustained Client Engagement\"}]}], \"metrics\": [{\"other\": {\"type\": \"Django severity rating\", \"content\": {\"value\": \"moderate\", \"namespace\": \"https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels\"}}}], \"affected\": [{\"repo\": \"https://github.com/django/django/\", \"vendor\": \"djangoproject\", \"product\": \"Django\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"6.0.3\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.0.3\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.2\", \"lessThan\": \"5.2.12\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.2.12\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.2\", \"lessThan\": \"4.2.29\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.2.29\", \"versionType\": \"semver\"}], \"packageName\": \"django\", \"collectionURL\": \"https://pypi.org/project/Django/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-01-27T12:00:00.000Z\", \"value\": \"Initial report received.\"}, {\"lang\": \"en\", \"time\": \"2026-02-20T12:00:00.000Z\", \"value\": \"Vulnerability confirmed.\"}, {\"lang\": \"en\", \"time\": \"2026-03-03T08:00:00.000Z\", \"value\": \"Security release issued.\"}], \"datePublic\": \"2026-03-03T08:00:00.000Z\", \"references\": [{\"url\": \"https://docs.djangoproject.com/en/dev/releases/security/\", \"name\": \"Django security archive\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://groups.google.com/g/django-announce\", \"name\": \"Django releases announcements\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://www.djangoproject.com/weblog/2026/mar/03/security-releases/\", \"name\": \"Django security releases issued: 6.0.3, 5.2.12, and 4.2.29\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\\n`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\\nDjango would like to thank Seokchan Yoon for reporting this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAn issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\u003c/p\u003e\u003cp\u003e`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"shortName\": \"DSF\", \"dateUpdated\": \"2026-03-03T14:28:28.601Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25673\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-30T02:45:36.694Z\", \"dateReserved\": \"2026-02-04T18:27:10.657Z\", \"assignerOrgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"datePublished\": \"2026-03-03T14:28:28.601Z\", \"assignerShortName\": \"DSF\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…