The Wire · Showcase
DJANGO PATCHES THREE SECURITY VULNERABILITIES OVERNIGHT
By RepoJournal · Filed · About Django
Django archived three CVEs in a single sweep [ref:1], signaling fixes are live across the release line.
The framework locked down CVE-2026-48588, CVE-2026-53877, and CVE-2026-53878 [1], though specific vulnerability details remain under embargo until patches deploy more broadly. More immediately: a long-standing bug in encode_multipart() that silently dropped form field values when files shared the same parameter name is now fixed [2]. This one stings. If your app processes forms with overlapping field and file names (think file uploads on a field called 'attachment'), you've been losing data without knowing it. The fix upgrades to data.lists() instead of data.items() to preserve all values per key. Django 6.0.8 stub release notes are live [3], suggesting a patch drop soon. The admin filter_vertical widget also got a positioning fix for its arrow buttons [4], a small quality-of-life improvement.
Action items
- → Review forms that upload files and fields with matching parameter names - you may be silently losing data django/django [immediate]
- → Watch for Django 6.0.8 release - patch likely within 48 hours given stub notes django/django [monitor]
- → Upgrade to latest patch branch once security fixes publish django/django [plan]
References
- [1] Added CVE-2026-48588, CVE-2026-53877, and CVE-2026-53878 to security archive. django/django
- [2] Fixed #17631 -- Handled fields and files with the same name in encode_multipart(). django/django
- [3] Added stub release notes for 6.0.8. django/django
- [4] Fixed #36621 -- Fixed arrow buttons position in admin filter_vertical widget. django/django
FAQ
- What changed in Django on July 8, 2026?
- Django archived three CVEs in a single sweep , signaling fixes are live across the release line.
- What should Django teams do about it?
- Review forms that upload files and fields with matching parameter names - you may be silently losing data • Watch for Django 6.0.8 release - patch likely within 48 hours given stub notes • Upgrade to latest patch branch once security fixes publish
- Which Django repositories shipped on July 8, 2026?
- django/django