Django has issued security releases for versions 6.0.3, 5.2.12, and 4.2.29, addressing two CVEs. CVE-2026-25673 fixes a potential denial-of-service vulnerability in URLField caused by slow Unicode (NFKC) normalization on Windows via urllib.parse.urlsplit(); the fix avoids normalization entirely in to_python(). CVE-2026-25674
Table of contents
CVE-2026-25673: Potential denial-of-service vulnerability in URLField via Unicode normalization on WindowsSort: