RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO PATCHES CACHE MIDDLEWARE VULNERABILITY WHILE DOCS BUILD FINALLY WORKS

By RepoJournal · Filed · About Django

Django shipped a critical cache control bypass fix overnight while fixing a year-old documentation builder bug that broke ReadTheDocs previews.

The security fix addresses CVE-2026-35193 [1], a substring matching flaw in UpdateCacheMiddleware that could allow cache poisoning through extension directives. The vulnerability is real enough to warrant immediate attention on production systems. In parallel, the docs team fixed a persistent issue where the djangodocs Sphinx extension failed to work with anything other than a hardcoded list of HTML builders [2] [3], which meant dirhtml builds and ReadTheDocs PR previews rendered empty content blocks. That same fix also removed obsolete Sphinx 1.8 compatibility code [4], cleaning up technical debt. A third patch tightens template archive handling by enforcing safe_join() validation [5], closing a potential path traversal vector. The ASV benchmark suite picked up new ubuntu-latest results [6], giving you better performance baselines.

Action items

References

  1. [1] Refs #36560, CVE-2026-35193 -- Replaced substring check on cache-control directives in UpdateCacheMiddleware. django/django
  2. [2] Fixed #37150 -- Made djangodocs Sphinx extension work with any html builder. ↗ django/django
  3. [3] Fixed #37150 -- Made djangodocs Sphinx extension work with any html builder. django/django
  4. [4] Removed obsolete Sphinx < 1.8 fallback in `VersionDirective` from djangodocs extension. django/django
  5. [5] Fixed #36900 -- Used safe_join() on downloaded template archive. ↗ django/django
  6. [6] Results for ubuntu-latest added [skip ci] django/django-asv

FAQ

What changed in Django on June 10, 2026?
Django shipped a critical cache control bypass fix overnight while fixing a year-old documentation builder bug that broke ReadTheDocs previews.
What should Django teams do about it?
Patch Django to latest immediately for CVE-2026-35193 cache control bypass • Rebuild documentation if using dirhtml or custom HTML builders • Review template archive handling in custom management commands
Which Django repositories shipped on June 10, 2026?
django/django, django/django-asv

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.