SUSE-SU-2026:1740-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2026/suse-su-20261740-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1740-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2026:1740-1
Upstream
Related
Published
2026-05-07T07:00:32Z
Modified
2026-05-08T08:15:41.601565Z
Summary
Security update for python-Django
Details

This update for python-Django fixes the following issues

  • CVE-2026-3902: headers spoofing by exploiting an ambiguous mapping of two header variants in ASGIRequest requests (bsc#1261729).
  • CVE-2026-4277: permissions on inline model instances were not validated on submission of forged POST data in GenericInlineModelAdmin (bsc#1261731).
  • CVE-2026-4292: admin changelist forms using ModelAdmin.list_editable incorrectly allowed new instances to be created via forged POST data (bsc#1261732).
  • CVE-2026-5766: potential denial-of-service vulnerability in ASGI requests via file upload limit bypass (bsc#1264153).
  • CVE-2026-6907: potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware (bsc#1264152).
  • CVE-2026-33033: denial of service via missing or understated Content-Length header in ASGI requests (bsc#1261722).
  • CVE-2026-33034: ASGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body (bsc#1261724).
  • CVE-2026-35192: session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST (bsc#1264154).
References

Affected packages