Django vulnerabilities
Summary
Seokchan Yoon discovered that Django incorrectly handled copying memory when parsing multipart uploads with excessive whitespace. A remote attacker could possibly use this issue to cause Django to use excessive resources, leading to a denial of service. (CVE-2026-33033) It was discovered that Django did not enforce an upload memory size limit in the Content-Length header. A remote attacker could possibly use this issue to cause Django to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-33034) Tarek Nakkouch discovered that Django incorrectly handled underscores in the ASGI headers. A remote attacker could possibly use this issue to spoof HTTP headers. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-3902) It was discovered that Django incorrectly handled verification of model data created with POST requests. A remote attacker could possibly use this issue to forge new model permissions. (CVE-2026-4277, CVE-2026-4292) Affected Ubuntu releases: 25.10, 24.04, 22.04, 20.04, 18.04. CVEs: CVE-2026-33033, CVE-2026-4277, CVE-2026-3902, CVE-2026-33034, CVE-2026-4292.
- Ubuntu 25.10
- Ubuntu 24.04
- Ubuntu 22.04
- Ubuntu 20.04
- Ubuntu 18.04
Official advisory · medium-confidence parse· fetched 3 hours ago·verify at source
Mitigation checklist
- Apply available updates: `sudo apt update && sudo apt upgrade` (a standard system update installs the fix).
Official advisory · medium-confidence parse· fetched 3 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.