RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO PATCHES THREE CRITICAL CACHE AND UPLOAD VULNERABILITIES

By RepoJournal · Filed · About Django

Django shipped fixes overnight for three security flaws affecting cache headers, session handling, and ASGI file uploads that could let attackers bypass critical safety limits.

Three CVEs hit the archive simultaneously [1], each addressing a distinct attack surface. CVE-2026-6907 [2] fixes a cache poisoning vulnerability where requests with wildcard Vary headers were being cached when they shouldn't be — a bypass that could serve stale data to the wrong users. CVE-2026-35192 [3] ensures the Vary header is actually sent when SESSION_SAVE_EVERY_REQUEST=True, preventing session fixation attacks in certain configurations. The most dangerous is CVE-2026-5766 [4], which exploits ASGI deployments specifically: attackers could declare a small Content-Length header while uploading massive files, bypassing DATA_UPLOAD_MAX_MEMORY_SIZE entirely and crashing your workers. The ASGI vulnerability is critical if you're running Django on async servers — the fix enforces memory limits regardless of what the client claims to be sending.

Action items

References

  1. [1] Added CVE-2026-5766, CVE-2026-35192, and CVE-2026-6907 to security archive. django/django
  2. [2] Fixed CVE-2026-6907 -- Prevented caching of requests when Vary header contains an asterisk. django/django
  3. [3] Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting session cookie with SESSION_SAVE_EVERY_REQUEST=True. django/django
  4. [4] Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in MemoryFileUploadHandler on ASGI. django/django

FAQ

What changed in Django on May 6, 2026?
Django shipped fixes overnight for three security flaws affecting cache headers, session handling, and ASGI file uploads that could let attackers bypass critical safety limits.
What should Django teams do about it?
Patch immediately if running ASGI deployments (CVE-2026-5766) • Upgrade all Django instances for CVE-2026-6907 and CVE-2026-35192 • Verify SESSION_SAVE_EVERY_REQUEST=True configs are protected
Which Django repositories shipped on May 6, 2026?
django/django

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.