"We also patched two potential denial-of-service vulnerabilities when handling large, malformed inputs. One exploits inefficient string concatenation in header parsing under ASGI ( CVE 2025-14550). Concatenating strings in a loop is known to be slow, and we've done fixes in public where the impact is low. The other one ( CVE 2026-1285) exploits deeply nested entities. December's vulnerability in the XML serializer ( CVE 2025-64460) was about those very two themes."
"Finally, we also patched three potential SQL injection vulnerabilities. One envisioned a developer passing unsanitized user input to a niche feature of the PostGIS backend ( CVE 2026-1207), much like CVE 2020-9402. Our security reporting policy assumes that developers are aware of the risks when passing unsanitized user input directly to the ORM. But the division between SQL statements and parameters is well ingrained, and the expectation is that Django will not fail to escape para"
Django released security fixes addressing six vulnerabilities of varying severity. Most reports are variations on previous vulnerabilities rather than new classes of issues. The Security Team now spends more time deciding whether a precedent should extend to marginal variations and whether those variations meet vulnerability impact thresholds. Recent patches include a low-severity user enumeration in the mod_wsgi authentication handler (CVE 2025-13473), two denial-of-service issues involving ASGI header parsing and deeply nested entities (CVE 2025-14550, CVE 2026-1285), and three potential SQL injection issues including a PostGIS backend case (CVE 2026-1207).
Read at Django Project
Unable to calculate read time
Collection
[
|
...
]