EUVD-2026-34086

🗓️ 03 Jun 2026 13:16:03Reported by EUVDType

Django before versions 6.0.6 and 5.2.15 allow cross-context cookie use due to non-injective salt in get_signed_cookie.

Reporter	Title	Published	Views	Family All 18
ATTACKERKB	CVE-2026-6873	3 Jun 202613:16	–	attackerkb
CVE	CVE-2026-6873	3 Jun 202613:16	–	cve
Cvelist	CVE-2026-6873 Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie	3 Jun 202613:16	–	cvelist
Debian CVE	CVE-2026-6873	3 Jun 202613:16	–	debiancve
NVD	CVE-2026-6873	3 Jun 202614:16	–	nvd
OSV	BIT-DJANGO-2026-6873 Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie	6 Jun 202608:39	–	osv
OSV	DEBIAN-CVE-2026-6873	3 Jun 202614:16	–	osv
OSV	MINI-83V4-8HHC-2939	6 Jun 202616:13	–	osv
OSV	PYSEC-2026-199	3 Jun 202614:16	–	osv
OSV	UBUNTU-CVE-2026-6873	3 Jun 202613:00	–	osv

[
  {
    "enisaIdVendor": [
      {
        "id": "1a1609b5-1cd2-3b24-beec-786648672969",
        "vendor": {
          "name": "djangoproject"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "5fe69b73-07a6-3033-afea-949772758b7b",
        "product": {
          "name": "Django",
          "vendor": {
            "name": "djangoproject"
          }
        },
        "product_version": "5.2 <5.2.15"
      },
      {
        "id": "77fe7f3a-5e75-3ae1-8fa2-bfbeb1c9c364",
        "product": {
          "name": "Django",
          "vendor": {
            "name": "djangoproject"
          }
        },
        "product_version": "6.0 <6.0.6"
      }
    ]
  }
]

Source	Link
docs	www.docs.djangoproject.com/en/dev/releases/security/
groups	www.groups.google.com/g/django-announce
djangoproject	www.djangoproject.com/weblog/2026/jun/03/security-releases/

03 Jun 2026 15:43Current

5.8Medium risk

Vulners AI Score5.8

CVSS 42.3

CVSS 3.13.1

EPSS0.00011

SSVC