Django Software Foundation · Django · CVE-2026-5766
**Name of the Vulnerable Software and Affected Versions**
Django versions 6.0 through 6.0.4
Django versions 5.2 through 5.2.13
**Description**
ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE UPLOAD MAX MEMORY SIZE` limit. This allows large files to be loaded into memory, which can lead to service degradation and a potential denial-of-service. ASGI (Asynchronous Server Gateway Interface) is a standard for asynchronous Python web servers to communicate with web applications.
**Recommendations**
Update versions 6.0 through 6.0.4 to version 6.0.5.
Update versions 5.2 through 5.2.13 to version 5.2.14.
Configure a limit at the web server level to avoid relying solely on `FILE UPLOAD MAX MEMORY SIZE`.