Django has released updates 6.0.6 and 5.2.15 to fix several low-severity security vulnerabilities. Users are advised to upgrade promptly to mitigate potential risks concerning cookie signing, email transmission, and caching behavior.
The Django team has issued security releases 6.0.6 and 5.2.15. These versions are important for users employing Django, as they fix multiple security issues detailed in CVEs. Users are strongly encouraged to upgrade to these versions as soon as possible.
CVE-2026-6873 addresses a signed cookie salt namespace collision in \django.http.HttpRequest.get_signed_cookie, which could lead to cookie misinterpretation across different contexts. The signing salt derivation has been improved to be unambiguous, and older signed cookies will still be accepted until Django 7.0 for backward compatibility.
CVE-2026-7666 highlights a potential issue in the SMTP backend where a failed STARTTLS handshake can leave a connection in a partially-initialized state, allowing unencrypted email transmission if not carefully managed. This does not affect connections set to EMAIL_USE_SSL.
CVE-2026-8404 points to potential private data exposure due to handling Cache-Control directives incorrectly in UpdateCacheMiddleware, which could cache responses marked as private.
Django users should prioritize upgrading to versions 6.0.6 and 5.2.15 to avoid the aforementioned vulnerabilities. These issues are classified as low severity, but prompt action can help maintain the security of web applications built using Django. Vigilance in updating dependencies is essential in the evolving landscape of web security.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Django has released updates 6.0.6 and 5.2.15 to fix several low-severity security vulnerabilities. Users are advised to upgrade promptly to mitigate potential risks concerning cookie signing, email transmission, and caching behavior.