CVE-2026-35193

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...

EUVD-2026-34089

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...

CVE-2026-35193

Technical details about CVE-2026-35193 are not publicly available in the provided documents. Monitor for official updates from Django security advisories.

rubygem-activestorage: Possible Sensitive Session Information Leak in Active Storage

A flaw was found in Active Storage that may lead to a sensitive session information leak. By default, Active Storage sends a Set-Cookie header along with the user’s session cookie when serving blobs and sets Cache-Control to public. Certain proxies may cache Set-Cookie, leading to an information...

OESA-2024-1367 rubygem-activestorage security update

Attach cloud and local files in Rails applications. Security Fixes: Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cooki...