Update dependency django to v6.0.4 [SECURITY] - autoclosed#77
Closed
renovate[bot] wants to merge 1 commit intomainfrom
Closed
Update dependency django to v6.0.4 [SECURITY] - autoclosed#77renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
Bot
requested review from
f-atwi and
swetha1654
and removed request for
a team
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
renovate
Bot
changed the title
auto-merge was automatically disabled
March 27, 2026 03:29
Pull request was closed
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
2 times, most recently
from
7fc1bfc to
fbceb4b
Compare
renovate
Bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
fbceb4b to
7b1504e
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
7b1504e to
65bfa4e
Compare
Contributor
Test results for commit 65bfa4eTest coverage for 65bfa4e Static code analysis report |
Contributor
Test results for commit 65bfa4eTest coverage for 65bfa4e Static code analysis report |
Contributor
Test results for commit 65bfa4eTest coverage for 65bfa4e Static code analysis report |
renovate
Bot
changed the title
auto-merge was automatically disabled
April 22, 2026 05:41
Pull request was closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==6.0.2→==6.0.4Django vulnerable to Uncontrolled Resource Consumption
CVE-2026-25673 / GHSA-8p8v-wh79-9r56
More information
Details
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
URLField.to_python()in Django callsurllib.parse.urlsplit(), which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django has a Race Condition vulnerability
CVE-2026-25674 / GHSA-mjgh-79qc-68w3
More information
Details
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary
umaskchange affects other threads in multi-threaded environments.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django: SGI requests with a missing or understated
Content-Lengthheader could bypass theDATA_UPLOAD_MAX_MEMORY_SIZElimitCVE-2026-33034 / GHSA-933h-hp56-hf7m
More information
Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated
Content-Lengthheader could bypass theDATA_UPLOAD_MAX_MEMORY_SIZElimit when readingHttpRequest.body, allowing remote attackers to load an unbounded request body into memory.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django has potential DoS via MultiPartParser through crafted multipart uploads
CVE-2026-33033 / GHSA-5mf9-h53q-7mhq
More information
Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
MultiPartParserallows remote attackers to degrade performance by submitting multipart uploads withContent-Transfer-Encoding: base64including excessive whitespace.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation
CVE-2026-3902 / GHSA-mvfq-ggxm-9mc5
More information
Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGIRequestallows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django vulnerable to privilege abuse in ModelAdmin.list_editable
CVE-2026-4292 / GHSA-mmwr-2jhp-mc7j
More information
Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using
ModelAdmin.list_editableincorrectly allowed new instances to be created via forgedPOSTdata.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django vulnerable to privilege abuse in GenericInlineModelAdmin
CVE-2026-4277 / GHSA-pwjp-ccjc-ghwg
More information
Details
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged
POSTdata inGenericInlineModelAdmin.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
django/django (django)
v6.0.4Compare Source
v6.0.3Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.