Skip to content

Commit d9bcc68

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-8p8v-wh79-9r56 GHSA-mjgh-79qc-68w3 GHSA-8p8v-wh79-9r56 GHSA-mjgh-79qc-68w3
1 parent 9e91c7e commit d9bcc68

File tree

4 files changed

+214
-88
lines changed

4 files changed

+214
-88
lines changed

advisories/github-reviewed/2026/03/GHSA-8p8v-wh79-9r56/GHSA-8p8v-wh79-9r56.json

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8p8v-wh79-9r56",
4+
"modified": "2026-03-04T20:24:02Z",
5+
"published": "2026-03-03T15:31:41Z",
6+
"aliases": [
7+
"CVE-2026-25673"
8+
],
9+
"summary": "Django vulnerable to Uncontrolled Resource Consumption",
10+
"details": "An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\n\n`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\n\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0"
29+
},
30+
{
31+
"fixed": "6.0.3"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2"
48+
},
49+
{
50+
"fixed": "5.2.12"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2"
67+
},
68+
{
69+
"fixed": "4.2.29"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25673"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/django/django"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://groups.google.com/g/django-announce"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://www.djangoproject.com/weblog/2026/mar/03/security-releases"
96+
}
97+
],
98+
"database_specific": {
99+
"cwe_ids": [
100+
"CWE-400"
101+
],
102+
"severity": "HIGH",
103+
"github_reviewed": true,
104+
"github_reviewed_at": "2026-03-04T20:24:02Z",
105+
"nvd_published_at": "2026-03-03T15:16:19Z"
106+
}
107+
}

advisories/github-reviewed/2026/03/GHSA-mjgh-79qc-68w3/GHSA-mjgh-79qc-68w3.json

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mjgh-79qc-68w3",
4+
"modified": "2026-03-04T20:24:29Z",
5+
"published": "2026-03-03T15:31:41Z",
6+
"aliases": [
7+
"CVE-2026-25674"
8+
],
9+
"summary": "Django has a Race Condition vulnerability",
10+
"details": "An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\n\nRace condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments.\n\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0"
29+
},
30+
{
31+
"fixed": "6.0.3"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2"
48+
},
49+
{
50+
"fixed": "5.2.12"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2"
67+
},
68+
{
69+
"fixed": "4.2.29"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25674"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/django/django"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://groups.google.com/g/django-announce"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://www.djangoproject.com/weblog/2026/mar/03/security-releases"
96+
}
97+
],
98+
"database_specific": {
99+
"cwe_ids": [
100+
"CWE-362"
101+
],
102+
"severity": "LOW",
103+
"github_reviewed": true,
104+
"github_reviewed_at": "2026-03-04T20:24:29Z",
105+
"nvd_published_at": "2026-03-03T15:16:19Z"
106+
}
107+
}

advisories/unreviewed/2026/03/GHSA-8p8v-wh79-9r56/GHSA-8p8v-wh79-9r56.json

Lines changed: 0 additions & 44 deletions
This file was deleted.

advisories/unreviewed/2026/03/GHSA-mjgh-79qc-68w3/GHSA-mjgh-79qc-68w3.json

Lines changed: 0 additions & 44 deletions
This file was deleted.

0 commit comments

Comments
 (0)