CVE-2026-1285

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.1 Django versions 5.2 through 5.2.10 Django versions 4.2 through 4.2.27 Django versions 5.0.x and earlier Django versions 4.1.x and earlier Django versions 3.2.x and earlier

Description The django.utils.text.Truncator.chars() and Truncator.words() methods, when used with html=True, and the truncatechars html and truncatewords html template filters are susceptible to a potential denial-of-service. This occurs when processing crafted inputs containing a large number of unmatched HTML end tags.

Recommendations Update to Django version 6.0.2 or later. Update to Django version 5.2.11 or later. Update to Django version 4.2.28 or later.

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-407

Related Identifiers

BDU:2026-03467

BIT-DJANGO-2026-1285

CVE-2026-1285

GHSA-4RRR-2H4V-F3J9

MGASA-2026-0032

OESA-2026-1307

OESA-2026-1308

OESA-2026-1309

OESA-2026-1343

OESA-2026-1344

OESA-2026-1507

OPENSUSE-SU-2026:10145-1

OPENSUSE-SU-2026:10160-1

OPENSUSE-SU-2026:10247-1

OPENSUSE-SU-2026:20184-1

PYSEC-2026-45

RHSA-2026:14835

RHSA-2026:3958

RHSA-2026:3959

RHSA-2026:5970

RHSA-2026:5971

SUSE-SU-2026:0440-1

USN-8009-1

Affected Products

Django

Linuxmint

Red Os

Ubuntu

CVE-2026-1285

Weakness Enumeration

Related Identifiers

Affected Products

References · 69