wid-sec-w-2026-0579 · Published 2026-03-03 · View on BSI CERT-Bund ↗

Django: Multiple Vulnerabilities

CVSS 7.5 HIGH

Risk Summary

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

CVEs (2)

CVE-2026-25673 CVE-2026-25674

Affected Vendors

Open Source SUSE

Affected Products (6)

Open Source · Django <6.0.3

Open Source · Django 6.0.3

Open Source · Django <5.2.12

Open Source · Django 5.2.12

Open Source · Django <4.2.29

Open Source · Django 4.2.29

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more