7658 matches found
CVE-2026-48587
A flaw was found in Django. Remote attackers can exploit this vulnerability due to django.utils.cache.hasvaryheader not properly stripping whitespace from Vary response header values. This allows an attacker to read cached responses by sending requests to URLs with whitespace-padded Vary header...
CVE-2026-8404
A flaw was found in Django. The django.middleware.cache.UpdateCacheMiddleware component does not correctly process Cache-Control response directives when they use uppercase or mixed-case values. This vulnerability allows a remote attacker to read responses that should not have been cached, leadin...
CVE-2026-7666
A flaw was found in Django. An on-path network attacker could exploit a vulnerability in django.core.mail.backends.smtp.EmailBackend where a partially-initialized connection is reused after a failed STARTTLS handshake when failsilently=True. This could allow the attacker to intercept and read ema...
CVE-2026-6873
A flaw was found in Django. A remote attacker could exploit a non-injective salt derivation in django.http.HttpRequest.getsignedcookie by crafting specific cookie name and salt argument pairs. This vulnerability allows the attacker to use a signed cookie in a different context than intended,...
CVE-2026-35193
A flaw was found in Django. This vulnerability allows a remote attacker to read private cached responses. This occurs because the UpdateCacheMiddleware in Django does not correctly add the Authorization header to the Vary response header for requests that include an Authorization header but lack...
ROOT-APP-PYPI-CVE-2025-64458 CVE-2025-64458 in rootio-django - Patched by Root
Root has patched CVE-2025-64458 in the rootio-django package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2025-57833 CVE-2025-57833 in rootio-django - Patched by Root
Root has patched CVE-2025-57833 in the rootio-django package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2025-64459 CVE-2025-64459 in rootio-django - Patched by Root
Root has patched CVE-2025-64459 in the rootio-django package for Root:PyPI. Multiple fixed versions available...
CVE-2026-8404
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...
CVE-2026-7666
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when failsilently=True, which allows on-path network attackers to read ema...
CVE-2026-6873
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...
CVE-2026-48587
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.hasvaryheader in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose...
CVE-2026-35193
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...
CVE-2026-48587 Potential exposure of private data via whitespace padding in Vary header
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.hasvaryheader in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose...
CVE-2026-48587
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.hasvaryheader in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose...
CVE-2026-48587
Django is affected in versions 5.2 before 5.2.15 and 6.0 before 6.0.6. The vulnerability lies in django.utils.cache.has_vary_header(), which does not strip leading/trailing whitespace from Vary header values before comparison. This can allow remote attackers to read cached responses by targeting ...
CVE-2026-48587 Potential exposure of private data via whitespace padding in Vary header
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.hasvaryheader in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose...
CVE-2026-48587
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0...
EUVD-2026-34090
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.hasvaryheader in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose...
CVE-2026-35193 Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...