Django has issued security releases 6.0.4, 5.2.13, and 4.2.30 addressing five CVEs. The vulnerabilities include ASGI header spoofing via underscore/hyphen conflation (CVE-2026-3902), privilege abuse in GenericInlineModelAdmin (CVE-2026-4277) and ModelAdmin.list_editable (CVE-2026-4292) via forged POST data, a DoS in MultiPartParser via base64-encoded uploads with excessive whitespace (CVE-2026-33033, severity moderate), and a DoS in ASGI requests via memory upload limit bypass (CVE-2026-33034). All issues are rated low severity except the MultiPartParser DoS which is moderate. Additionally, Django 4.2 has reached end of extended support, and users are urged to upgrade to 5.2 or later.
Table of contents
Django 4.2 has reached the end of extended supportCVE-2026-3902: ASGI header spoofing via underscore/hyphen conflationCVE-2026-4277: Privilege abuse in GenericInlineModelAdminCVE-2026-4292: Privilege abuse in ModelAdmin.list_editableCVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file uploadCVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypassAffected supported versionsResolutionThe following releases have been issuedGeneral notes regarding security reportingSort: