RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO PATCHES HEADER PARSING VULNERABILITY AFFECTING CACHE AND SECURITY

By RepoJournal · Filed · About Django

Django shipped a critical fix for CVE-2026-48587 that rewrites how the framework parses HTTP header values, closing a whitespace-handling gap that could leave tokens improperly sanitized.

The security fix [1] extracts repeated split-and-strip logic into a new `split_header_value()` generator in django/utils/http.py. The old `cc_delim_re` regex only stripped whitespace around the comma delimiter itself, leaving leading or trailing whitespace intact on first and last tokens. RFC 9110 compliance means every token gets fully stripped now, not just the edges around delimiters. This matters because improper header parsing can cascade through cache headers, content-type values, and any comma-separated header field your app touches. In parallel, Django optimized DBCache culling [2] to run only every n queries instead of every query, a performance win for apps hammering the database cache layer. The team also fixed test isolation bugs [3] where cached Site instances were leaking database hints across test boundaries, causing unexpected writes to alternate databases. These aren't flashy features, but they're the kind of foundational fixes that prevent production surprises.

Action items

References

  1. [1] Refs CVE-2026-48587 -- Added helper to properly split header values. django/django
  2. [2] Fixed #32785 -- Optimize cull frequency for DBCache. ↗ django/django
  3. [3] Refs #16281 -- Fixed isolation of admin_views.ViewOnSiteTests. django/django

FAQ

What changed in Django on June 9, 2026?
Django shipped a critical fix for CVE-2026-48587 that rewrites how the framework parses HTTP header values, closing a whitespace-handling gap that could leave tokens improperly sanitized.
What should Django teams do about it?
Review your custom header parsing code against the new split_header_value() helper • Evaluate DBCache cull_frequency parameter in your settings if you're using database-backed caching • Pull the latest test isolation fixes if you maintain large test suites
Which Django repositories shipped on June 9, 2026?
django/django

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.