RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO 5.2.13 PATCHES CRITICAL UPLOAD VULNERABILITY

By RepoJournal · Filed · About Django

Django shipped an emergency security update that enforces upload size limits on request bodies—a gap that could let attackers bypass your DATA_UPLOAD_MAX_MEMORY_SIZE protections.

Code.djangoproject.com just landed Django 5.2.13 [1], which includes CVE-2026-33034, a fix that closes a dangerous hole where request body data wasn't subject to the memory upload ceiling you thought was enforcing. This is the kind of patch that feels minor until you realize someone's been uploading 500MB payloads to your endpoint. Meanwhile, the core Django repo is preparing for Python 3.15 compatibility [2], having adopted the new annotation_format parameter in getfullargspec() just before the feature freeze—good news if you're running bleeding-edge Python. On the feature front, Django landed dictionary-based EMAIL_PROVIDERS [3], decoupling backend tests from settings [4] and fixing a subtle but annoying bug where admin calendar widgets highlighted the wrong date based on timezone mismatches [7]. Djangoproject.com integrated the djade linter [5] for consistent template formatting and rewired the /about redirect [6] to point at /foundation instead of 404ing.

Action items

References

  1. [1] Bump django from 5.2.9 to 5.2.13 ↗ django/code.djangoproject.com
  2. [2] Refs #36712, #36664 -- Used annotation_format parameter of getfullargspec() on Python 3.15. ↗ django/django
  3. [3] Isolated commits from PR #21231 -- Fixed #35514 -- Implemented dictionary-based EMAIL_PROVIDERS. ↗ django/django
  4. [4] Refs #35514 -- Decoupled settings from functional EmailBackend tests. django/django
  5. [5] Add djade linter for Django templates (Fixes #2372) ↗ django/djangoproject.com
  6. [6] Redirect /about to /foundation ↗ django/djangoproject.com
  7. [7] Fixed #37074 -- Synced admin calendar today highlight with server time. ↗ django/django

FAQ

What changed in Django on May 9, 2026?
Django shipped an emergency security update that enforces upload size limits on request bodies—a gap that could let attackers bypass your DATA_UPLOAD_MAX_MEMORY_SIZE protections.
What should Django teams do about it?
Upgrade to Django 5.2.13 before next deploy—CVE-2026-33034 is a real exposure • Verify your DATA_UPLOAD_MAX_MEMORY_SIZE settings are in place and test with payloads near the limit • If running Python 3.15, test the annotation_format compatibility changes in your test suite
Which Django repositories shipped on May 9, 2026?
django/code.djangoproject.com, django/django, django/djangoproject.com

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.