Django has issued security releases 6.0.5 and 5.2.14 addressing three low-severity CVEs: a denial-of-service vulnerability in ASGI requests via file upload limit bypass (CVE-2026-5766), a session fixation issue via public cached pages when SESSION_SAVE_EVERY_REQUEST is True (CVE-2026-35192), and potential private data exposure due to incorrect handling of Vary: * in UpdateCacheMiddleware (CVE-2026-6907). All users on Django 5.2 or 6.0 are urged to upgrade immediately. Patches are available on the main, 6.0, and 5.2 branches.
Table of contents
CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypassCVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUESTCVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddlewareAffected supported versionsResolutionThe following releases have been issuedGeneral notes regarding security reportingSort: