Vulnerability-Lookup

SUSE-SU-2026:2318-1

Vulnerability from csaf_suse - Published: 2026-06-09 13:22 - Updated: 2026-06-09 13:22

Summary

Security update for python-Django

Severity

Important

Notes

Title of the patch: Security update for python-Django

Description of the patch: This update for python-Django fixes the following issues - CVE-2026-6873: signed cookie salt namespace collision in `django.http.HttpRequest.get_signed_cookie` (bsc#1267578). - CVE-2026-7666: potential unencrypted email transmission via `STARTTLS` in the SMTP backend (bsc#1267579). - CVE-2026-8404: potential exposure of private data via case-sensitive `Cache-Control` directives in `UpdateCacheMiddleware` (bsc#1267580). - CVE-2026-35193: potential exposure of private data via missing `Vary: Authorization` in `UpdateCacheMiddleware` (bsc#1267576). - CVE-2026-48587: potential exposure of private data via whitespace padding in `Vary` header (bsc#1267577).

Patchnames: SUSE-2026-2318,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2318

CVE-2026-35193

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch		—	Vendor Fix

Threats

Impact moderate

CVE-2026-48587

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch		—	Vendor Fix

Threats

Impact moderate

CVE-2026-6873

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch		—	Vendor Fix

Threats

Impact moderate

CVE-2026-7666

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch		—	Vendor Fix

Threats

Impact important

CVE-2026-8404

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch		—	Vendor Fix

Threats

Impact moderate

References

28 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-updates/2026…	self
https://bugzilla.suse.com/1267576	self
https://bugzilla.suse.com/1267577	self
https://bugzilla.suse.com/1267578	self
https://bugzilla.suse.com/1267579	self
https://bugzilla.suse.com/1267580	self
https://www.suse.com/security/cve/CVE-2026-35193/	self
https://www.suse.com/security/cve/CVE-2026-48587/	self
https://www.suse.com/security/cve/CVE-2026-6873/	self
https://www.suse.com/security/cve/CVE-2026-7666/	self
https://www.suse.com/security/cve/CVE-2026-8404/	self
https://www.suse.com/security/cve/CVE-2026-35193	external
https://bugzilla.suse.com/1267576	external
https://www.suse.com/security/cve/CVE-2026-48587	external
https://bugzilla.suse.com/1267576	external
https://bugzilla.suse.com/1267577	external
https://www.suse.com/security/cve/CVE-2026-6873	external
https://bugzilla.suse.com/1267576	external
https://bugzilla.suse.com/1267578	external
https://www.suse.com/security/cve/CVE-2026-7666	external
https://bugzilla.suse.com/1267576	external
https://bugzilla.suse.com/1267579	external
https://www.suse.com/security/cve/CVE-2026-8404	external
https://bugzilla.suse.com/1267576	external
https://bugzilla.suse.com/1267580	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-Django",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-Django fixes the following issues\n\n- CVE-2026-6873: signed cookie salt namespace collision in `django.http.HttpRequest.get_signed_cookie` (bsc#1267578).\n- CVE-2026-7666: potential unencrypted email transmission via `STARTTLS` in the SMTP backend (bsc#1267579).\n- CVE-2026-8404: potential exposure of private data via case-sensitive `Cache-Control` directives in\n  `UpdateCacheMiddleware` (bsc#1267580).\n- CVE-2026-35193: potential exposure of private data via missing `Vary: Authorization` in `UpdateCacheMiddleware`\n  (bsc#1267576).\n- CVE-2026-48587: potential exposure of private data via whitespace padding in `Vary` header (bsc#1267577).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-2318,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2318",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_2318-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:2318-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262318-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:2318-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047219.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267576",
        "url": "https://bugzilla.suse.com/1267576"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267577",
        "url": "https://bugzilla.suse.com/1267577"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267578",
        "url": "https://bugzilla.suse.com/1267578"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267579",
        "url": "https://bugzilla.suse.com/1267579"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267580",
        "url": "https://bugzilla.suse.com/1267580"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-35193 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-35193/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-48587 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-48587/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-6873 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-6873/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-7666 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-7666/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-8404 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-8404/"
      }
    ],
    "title": "Security update for python-Django",
    "tracking": {
      "current_release_date": "2026-06-09T13:22:04Z",
      "generator": {
        "date": "2026-06-09T13:22:04Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:2318-1",
      "initial_release_date": "2026-06-09T13:22:04Z",
      "revision_history": [
        {
          "date": "2026-06-09T13:22:04Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-Django-4.2.11-150600.3.59.1.noarch",
                "product": {
                  "name": "python311-Django-4.2.11-150600.3.59.1.noarch",
                  "product_id": "python311-Django-4.2.11-150600.3.59.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:packagehub:15:sp7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Django-4.2.11-150600.3.59.1.noarch as component of SUSE Linux Enterprise Module for Package Hub 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
        },
        "product_reference": "python311-Django-4.2.11-150600.3.59.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-35193",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-35193"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Shai Berger for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-35193",
          "url": "https://www.suse.com/security/cve/CVE-2026-35193"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267576 for CVE-2026-35193",
          "url": "https://bugzilla.suse.com/1267576"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-09T13:22:04Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-35193"
    },
    {
      "cve": "CVE-2026-48587",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-48587"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Navid Rezazadeh for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-48587",
          "url": "https://www.suse.com/security/cve/CVE-2026-48587"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267576 for CVE-2026-48587",
          "url": "https://bugzilla.suse.com/1267576"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267577 for CVE-2026-48587",
          "url": "https://bugzilla.suse.com/1267577"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-09T13:22:04Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-48587"
    },
    {
      "cve": "CVE-2026-6873",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-6873"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Peng Zhou for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-6873",
          "url": "https://www.suse.com/security/cve/CVE-2026-6873"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267576 for CVE-2026-6873",
          "url": "https://bugzilla.suse.com/1267576"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267578 for CVE-2026-6873",
          "url": "https://bugzilla.suse.com/1267578"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-09T13:22:04Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-6873"
    },
    {
      "cve": "CVE-2026-7666",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-7666"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kasper Dupont for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-7666",
          "url": "https://www.suse.com/security/cve/CVE-2026-7666"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267576 for CVE-2026-7666",
          "url": "https://bugzilla.suse.com/1267576"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267579 for CVE-2026-7666",
          "url": "https://bugzilla.suse.com/1267579"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-09T13:22:04Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-7666"
    },
    {
      "cve": "CVE-2026-8404",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-8404"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmed Badawe for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-8404",
          "url": "https://www.suse.com/security/cve/CVE-2026-8404"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267576 for CVE-2026-8404",
          "url": "https://bugzilla.suse.com/1267576"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267580 for CVE-2026-8404",
          "url": "https://bugzilla.suse.com/1267580"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.59.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-09T13:22:04Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-8404"
    }
  ]
}

CVE-2026-35193 (GCVE-0-2026-35193)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:47

Title

Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware

Summary

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-524 - Use of Cache Containing Sensitive Information

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Shai Berger Jacob Walls Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35193",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:47:08.153480Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:47:18.140Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Shai Berger"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jacob Walls"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.middleware.cache.UpdateCacheMiddleware\u003c/code\u003e in Django does not add \u003ccode\u003eAuthorization\u003c/code\u003e to the \u003ccode\u003eVary\u003c/code\u003e response header for requests bearing that header without \u003ccode\u003eCache-Control: public\u003c/code\u003e, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Shai Berger for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Shai Berger for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-204",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:38.456Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-24T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-04-28T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-35193",
    "datePublished": "2026-06-03T13:16:38.456Z",
    "dateReserved": "2026-04-01T18:21:23.779Z",
    "dateUpdated": "2026-06-03T15:47:18.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48587 (GCVE-0-2026-48587)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:47

Title

Potential exposure of private data via whitespace padding in Vary header

Summary

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1023 - Incomplete Comparison with Missing Factors

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Navid Rezazadeh Jake Howard Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48587",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:47:33.121791Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:47:55.165Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Navid Rezazadeh"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jake Howard"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.utils.cache.has_vary_header()\u003c/code\u003e in Django does not strip leading or trailing whitespace from \u003ccode\u003eVary\u003c/code\u003e response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Navid Rezazadeh for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Navid Rezazadeh for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-204",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1023",
              "description": "CWE-1023: Incomplete Comparison with Missing Factors",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:47.811Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-11T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-05-26T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential exposure of private data via whitespace padding in Vary header",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-48587",
    "datePublished": "2026-06-03T13:16:47.811Z",
    "dateReserved": "2026-05-21T20:50:32.465Z",
    "dateUpdated": "2026-06-03T15:47:55.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6873 (GCVE-0-2026-6873)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:43

Title

Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie

Summary

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Peng Zhou Paul McMillan Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6873",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:43:52.491634Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:43:58.829Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Peng Zhou"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Paul McMillan"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.http.HttpRequest.get_signed_cookie\u003c/code\u003e in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct \u003ccode\u003e(name, salt)\u003c/code\u003e pairs that produce the same concatenation.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Peng Zhou for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Peng Zhou for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-475",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-475: Signature Spoofing by Improper Validation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:03.924Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-27T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-05-12T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-6873",
    "datePublished": "2026-06-03T13:16:03.924Z",
    "dateReserved": "2026-04-22T18:12:39.603Z",
    "dateUpdated": "2026-06-03T15:43:58.829Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7666 (GCVE-0-2026-7666)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:43

Title

Potential unencrypted email transmission via STARTTLS in the SMTP backend

Summary

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Kasper Dupont Jake Howard Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7666",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:43:26.714914Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:43:34.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Kasper Dupont"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jake Howard"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.core.mail.backends.smtp.EmailBackend\u003c/code\u003e in Django fails to prevent reuse of a partially-initialized connection after a failed \u003ccode\u003eSTARTTLS\u003c/code\u003e handshake when \u003ccode\u003efail_silently=True\u003c/code\u003e, which allows on-path network attackers to read email content via cleartext interception.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Kasper Dupont for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kasper Dupont for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-94",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-94: Adversary in the Middle (AiTM)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319: Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:15.446Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-22T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-05-12T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential unencrypted email transmission via STARTTLS in the SMTP backend",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-7666",
    "datePublished": "2026-06-03T13:16:15.446Z",
    "dateReserved": "2026-05-01T19:59:31.353Z",
    "dateUpdated": "2026-06-03T15:43:34.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8404 (GCVE-0-2026-8404)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:46

Title

Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

Summary

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-178 - Improper Handling of Case Sensitivity

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Ahmed Badawe Jake Howard Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8404",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:46:33.911128Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:46:40.439Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Ahmed Badawe"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jake Howard"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.middleware.cache.UpdateCacheMiddleware\u003c/code\u003e in Django does not match \u003ccode\u003eCache-Control\u003c/code\u003e response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their \u003ccode\u003eCache-Control\u003c/code\u003e directives used uppercase or mixed-case values.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Ahmed Badawe for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmed Badawe for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-204",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178: Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:29.593Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-06T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-05-12T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-8404",
    "datePublished": "2026-06-03T13:16:29.593Z",
    "dateReserved": "2026-05-12T15:06:18.803Z",
    "dateUpdated": "2026-06-03T15:46:40.439Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:2318-1

CVE-2026-35193 (GCVE-0-2026-35193)

CVE-2026-48587 (GCVE-0-2026-48587)

CVE-2026-6873 (GCVE-0-2026-6873)

CVE-2026-7666 (GCVE-0-2026-7666)

CVE-2026-8404 (GCVE-0-2026-8404)

Tags

Sightings

Nomenclature