OPENSUSE-SU-2026:10517-1 - Vulnerability-Lookup

OPENSUSE-SU-2026:10517-1

Vulnerability from csaf_opensuse - Published: 2026-04-09 00:00 - Updated: 2026-04-09 00:00

Summary

python313-Django6-6.0.4-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: python313-Django6-6.0.4-1.1 on GA media

Description of the patch: These are all security issues fixed in the python313-Django6-6.0.4-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10517

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2026-33033

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-33034

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-3902

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-4277

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-4292

2.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-33033/	self
	https://www.suse.com/security/cve/CVE-2026-33034/	self
	https://www.suse.com/security/cve/CVE-2026-3902/	self
	https://www.suse.com/security/cve/CVE-2026-4277/	self
	https://www.suse.com/security/cve/CVE-2026-4292/	self
	https://www.suse.com/security/cve/CVE-2026-33033	external
	https://bugzilla.suse.com/1261722	external
	https://www.suse.com/security/cve/CVE-2026-33034	external
	https://bugzilla.suse.com/1261724	external
	https://www.suse.com/security/cve/CVE-2026-3902	external
	https://bugzilla.suse.com/1261729	external
	https://www.suse.com/security/cve/CVE-2026-4277	external
	https://bugzilla.suse.com/1261731	external
	https://www.suse.com/security/cve/CVE-2026-4292	external
	https://bugzilla.suse.com/1261732	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python313-Django6-6.0.4-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python313-Django6-6.0.4-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10517",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10517-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33033 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33033/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33034 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33034/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-3902 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-3902/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-4277 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-4277/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-4292 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-4292/"
      }
    ],
    "title": "python313-Django6-6.0.4-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-09T00:00:00Z",
      "generator": {
        "date": "2026-04-09T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10517-1",
      "initial_release_date": "2026-04-09T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-09T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-Django6-6.0.4-1.1.aarch64",
                "product": {
                  "name": "python313-Django6-6.0.4-1.1.aarch64",
                  "product_id": "python313-Django6-6.0.4-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python314-Django6-6.0.4-1.1.aarch64",
                "product": {
                  "name": "python314-Django6-6.0.4-1.1.aarch64",
                  "product_id": "python314-Django6-6.0.4-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-Django6-6.0.4-1.1.ppc64le",
                "product": {
                  "name": "python313-Django6-6.0.4-1.1.ppc64le",
                  "product_id": "python313-Django6-6.0.4-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python314-Django6-6.0.4-1.1.ppc64le",
                "product": {
                  "name": "python314-Django6-6.0.4-1.1.ppc64le",
                  "product_id": "python314-Django6-6.0.4-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-Django6-6.0.4-1.1.s390x",
                "product": {
                  "name": "python313-Django6-6.0.4-1.1.s390x",
                  "product_id": "python313-Django6-6.0.4-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python314-Django6-6.0.4-1.1.s390x",
                "product": {
                  "name": "python314-Django6-6.0.4-1.1.s390x",
                  "product_id": "python314-Django6-6.0.4-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-Django6-6.0.4-1.1.x86_64",
                "product": {
                  "name": "python313-Django6-6.0.4-1.1.x86_64",
                  "product_id": "python313-Django6-6.0.4-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python314-Django6-6.0.4-1.1.x86_64",
                "product": {
                  "name": "python314-Django6-6.0.4-1.1.x86_64",
                  "product_id": "python314-Django6-6.0.4-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django6-6.0.4-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64"
        },
        "product_reference": "python313-Django6-6.0.4-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django6-6.0.4-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le"
        },
        "product_reference": "python313-Django6-6.0.4-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django6-6.0.4-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x"
        },
        "product_reference": "python313-Django6-6.0.4-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Django6-6.0.4-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64"
        },
        "product_reference": "python313-Django6-6.0.4-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-Django6-6.0.4-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64"
        },
        "product_reference": "python314-Django6-6.0.4-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-Django6-6.0.4-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le"
        },
        "product_reference": "python314-Django6-6.0.4-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-Django6-6.0.4-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x"
        },
        "product_reference": "python314-Django6-6.0.4-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-Django6-6.0.4-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
        },
        "product_reference": "python314-Django6-6.0.4-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-33033",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33033"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33033",
          "url": "https://www.suse.com/security/cve/CVE-2026-33033"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261722 for CVE-2026-33033",
          "url": "https://bugzilla.suse.com/1261722"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-09T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-33033"
    },
    {
      "cve": "CVE-2026-33034",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33034"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\r\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\r\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\r\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33034",
          "url": "https://www.suse.com/security/cve/CVE-2026-33034"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261724 for CVE-2026-33034",
          "url": "https://bugzilla.suse.com/1261724"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-09T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-33034"
    },
    {
      "cve": "CVE-2026-3902",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-3902"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-3902",
          "url": "https://www.suse.com/security/cve/CVE-2026-3902"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261729 for CVE-2026-3902",
          "url": "https://bugzilla.suse.com/1261729"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-09T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-3902"
    },
    {
      "cve": "CVE-2026-4277",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-4277"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdd permissions on inline model instances were not validated on submission of\r\nforged `POST` data in `GenericInlineModelAdmin`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank N05ec@LZU-DSLab for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-4277",
          "url": "https://www.suse.com/security/cve/CVE-2026-4277"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261731 for CVE-2026-4277",
          "url": "https://bugzilla.suse.com/1261731"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-09T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-4277"
    },
    {
      "cve": "CVE-2026-4292",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-4292"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\r\ninstances to be created via forged `POST` data.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
          "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-4292",
          "url": "https://www.suse.com/security/cve/CVE-2026-4292"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261732 for CVE-2026-4292",
          "url": "https://bugzilla.suse.com/1261732"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python313-Django6-6.0.4-1.1.x86_64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.aarch64",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.s390x",
            "openSUSE Tumbleweed:python314-Django6-6.0.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-09T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2026-4292"
    }
  ]
}

CVE-2026-4292 (GCVE-0-2026-4292)

Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 15:12

Title

Privilege abuse in ModelAdmin.list_editable

Summary

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-862 - Missing Authorization

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/apr/07/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.4 (semver) Unaffected: 6.0.4 (semver) Affected: 5.2 , < 5.2.13 (semver) Unaffected: 5.2.13 (semver) Affected: 4.2 , < 4.2.30 (semver) Unaffected: 4.2.30 (semver)

Date Public ?

2026-04-07 09:00

Credits

Cantina Jacob Walls Jacob Walls

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 2.7,
              "baseSeverity": "LOW",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4292",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T15:12:50.786633Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T15:12:56.065Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.4",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.4",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.13",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.13",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.30",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.30",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Cantina"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jacob Walls"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-04-07T09:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\u003c/p\u003e\u003cp\u003einstances to be created via forged `POST` data.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Cantina for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\r\ninstances to be created via forged `POST` data.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122: Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T14:22:38.254Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-11T12:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-03-16T12:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-04-07T09:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Privilege abuse in ModelAdmin.list_editable",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-4292",
    "datePublished": "2026-04-07T14:22:38.254Z",
    "dateReserved": "2026-03-16T16:58:02.592Z",
    "dateUpdated": "2026-04-07T15:12:56.065Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33034 (GCVE-0-2026-33034)

Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 20:44

Title

Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass

Summary

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/apr/07/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.4 (semver) Unaffected: 6.0.4 (semver) Affected: 5.2 , < 5.2.13 (semver) Unaffected: 5.2.13 (semver) Affected: 4.2 , < 4.2.30 (semver) Unaffected: 4.2.30 (semver)

Date Public ?

2026-04-07 09:00

Credits

Superior Natalia Bidart Jacob Walls

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33034",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T20:43:43.119514Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T20:44:01.819Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.4",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.4",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.13",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.13",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.30",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.30",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Superior"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Natalia Bidart"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-04-07T09:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eASGI requests with a missing or understated `Content-Length` header could\u003c/p\u003e\u003cp\u003ebypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\u003c/p\u003e\u003cp\u003e`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\u003c/p\u003e\u003cp\u003ememory.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Superior for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\r\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\r\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\r\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130: Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T14:22:59.942Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-24T12:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-03-17T12:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-04-07T09:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-33034",
    "datePublished": "2026-04-07T14:22:59.942Z",
    "dateReserved": "2026-03-17T17:36:23.992Z",
    "dateUpdated": "2026-04-07T20:44:01.819Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3902 (GCVE-0-2026-3902)

Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 16:14

Title

ASGI header spoofing via underscore/hyphen conflation

Summary

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/apr/07/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.4 (semver) Unaffected: 6.0.4 (semver) Affected: 5.2 , < 5.2.13 (semver) Unaffected: 5.2.13 (semver) Affected: 4.2 , < 4.2.30 (semver) Unaffected: 4.2.30 (semver)

Date Public ?

2026-04-07 09:00

Credits

Tarek Nakkouch Jacob Walls Jacob Walls

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-3902",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T16:14:03.870418Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T16:14:07.198Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.4",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.4",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.13",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.13",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.30",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.30",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Tarek Nakkouch"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jacob Walls"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-04-07T09:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003e`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Tarek Nakkouch for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-151",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-151: Identity Spoofing"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T14:22:07.190Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-23T12:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-03-10T12:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-04-07T09:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "ASGI header spoofing via underscore/hyphen conflation",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-3902",
    "datePublished": "2026-04-07T14:22:07.190Z",
    "dateReserved": "2026-03-10T18:33:26.472Z",
    "dateUpdated": "2026-04-07T16:14:07.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33033 (GCVE-0-2026-33033)

Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 15:21

Title

Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload

Summary

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/apr/07/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.4 (semver) Unaffected: 6.0.4 (semver) Affected: 5.2 , < 5.2.13 (semver) Unaffected: 5.2.13 (semver) Affected: 4.2 , < 4.2.30 (semver) Unaffected: 4.2.30 (semver)

Date Public ?

2026-04-07 09:00

Credits

Seokchan Yoon Natalia Bidart Jacob Walls

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33033",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T15:21:08.357477Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T15:21:27.926Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.4",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.4",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.13",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.13",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.30",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.30",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Seokchan Yoon"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Natalia Bidart"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-04-07T09:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003e`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130: Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "moderate"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T14:22:48.624Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-19T12:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-03-17T12:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-04-07T09:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-33033",
    "datePublished": "2026-04-07T14:22:48.624Z",
    "dateReserved": "2026-03-17T17:36:23.992Z",
    "dateUpdated": "2026-04-07T15:21:27.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4277 (GCVE-0-2026-4277)

Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-09 20:21

Title

Privilege abuse in GenericInlineModelAdmin

Summary

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

Severity ?

No CVSS data available.

CWE

CWE-862 - Missing Authorization

Assigner

DSF

References

URL

Tags

	https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
	https://groups.google.com/g/django-announce	mailing-list
	https://www.djangoproject.com/weblog/2026/apr/07/…	vendor-advisory

Impacted products

	Vendor	Product	Version
	djangoproject	Django	Affected: 6.0 , < 6.0.4 (semver) Unaffected: 6.0.4 (semver) Affected: 5.2 , < 5.2.13 (semver) Unaffected: 5.2.13 (semver) Affected: 4.2 , < 4.2.30 (semver) Unaffected: 4.2.30 (semver)

Date Public ?

2026-04-07 09:00

Credits

N05ec@LZU-DSLab Jacob Walls Jacob Walls

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4277",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T18:09:56.739026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T20:21:50.751Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.4",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.4",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.13",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.13",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.30",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.30",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "N05ec@LZU-DSLab"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jacob Walls"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-04-07T09:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eAdd permissions on inline model instances were not validated on submission of\u003c/p\u003e\u003cp\u003eforged `POST` data in `GenericInlineModelAdmin`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank N05ec@LZU-DSLab for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdd permissions on inline model instances were not validated on submission of\r\nforged `POST` data in `GenericInlineModelAdmin`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank N05ec@LZU-DSLab for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122: Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T14:22:25.547Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-07T12:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-03-16T12:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-04-07T09:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Privilege abuse in GenericInlineModelAdmin",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-4277",
    "datePublished": "2026-04-07T14:22:25.547Z",
    "dateReserved": "2026-03-16T15:26:08.125Z",
    "dateUpdated": "2026-04-09T20:21:50.751Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.