wid-sec-w-2026-1002 · Published 2026-04-07 · View on BSI CERT-Bund ↗

Django: Multiple Vulnerabilities

CVSS N/A NONE

Risk Summary

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

CVEs (5)

CVE-2026-33033 CVE-2026-33034 CVE-2026-3902 CVE-2026-4277 CVE-2026-4292

Affected Vendors

Open Source Ubuntu

Affected Products (6)

Open Source · Django <6.0.4

Open Source · Django 6.0.4

Open Source · Django <5.2.13

Open Source · Django 5.2.13

Open Source · Django <4.2.30

Open Source · Django 4.2.30

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more