Django · Django · CVE-2026-48587
**Name of the Vulnerable Software and Affected Versions**
Django versions prior to 5.2.15
Django versions prior to 6.0.6
**Description**
The `django.utils.cache.has vary header()` function does not strip leading or trailing whitespace from `Vary` response header values before comparison. This allows remote attackers to read cached responses by making requests to URLs that have whitespace-padded `Vary` header values.
**Recommendations**
Update to version 5.2.15 or newer.
Update to version 6.0.6 or newer.