Back to overview

CVE-2026-53878

MEDIUM
6.1
CVSS 3.1
Description
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue.

Metadata

CVE ID
CVE-2026-53878
State
PUBLISHED
Assigner
DSF
Reserved
2026-06-11 01:11 UTC
Published
2026-07-07 14:10 UTC
Last updated
2026-07-07 14:58 UTC
Primary CWE
CWE-144
CWE-144: Improper Neutralization of Line Delimiters
Vendor / Product
djangoproject / Django
Sources
cve.org  ·  NVD

Severity & Metrics

6.1 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
djangoproject Django 6.0 < 6.0.7, 6.0.7, 5.2 < 5.2.16, 5.2.16
Weakness (CWE)
CWESourceDescription
CWE-144 cna CWE-144: Improper Neutralization of Line Delimiters
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.1 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References (3)
Back to overview