CVE-2026-1285

EUVD-2026-5251

03.02.2026, 15:16

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Affected Products (NVD)

Vendor	Product	Version
djangoproject	django	4.2 ≤ 𝑥 < 4.2.28
djangoproject	django	5.2 ≤ 𝑥 < 5.2.11
djangoproject	django	6.0 ≤ 𝑥 < 6.0.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-django

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	2:2.2.28-1~deb11u12 fixed
forky	3:4.2.28-1 fixed
sid	3:4.2.28-1 fixed
trixie	vulnerable
trixie (security)	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

python-django

bionic	Fixed 1:1.11.11-1ubuntu1.21+esm14 released
focal	Fixed 2:2.2.12-1ubuntu0.29+esm7 released
jammy	Fixed 2:3.2.12-2ubuntu1.25 released
noble	Fixed 3:4.2.11-1ubuntu1.14 released
questing	Fixed 3:5.2.4-1ubuntu2.3 released
trusty	not-affected
xenial	Fixed 1.8.7-1ubuntu5.15+esm11 released

Common Weakness Enumeration

CWE-407 - Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Vulnerability Media Exposure

[GERMAN] Django: Mehrere Schwachstellen
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Django ausnutzen, um SQL-Injektionen durchzuführen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-02-03T23:00:00+00:00

References

https://docs.djangoproject.com/en/dev/releases/security/

https://groups.google.com/g/django-announce

https://www.djangoproject.com/weblog/2026/feb/03/security-releases/