Skip to content

Commit d9a8177

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-5mf9-h53q-7mhq GHSA-933h-hp56-hf7m GHSA-5mf9-h53q-7mhq GHSA-933h-hp56-hf7m
1 parent cc10960 commit d9a8177

4 files changed

Lines changed: 214 additions & 88 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-5mf9-h53q-7mhq/GHSA-5mf9-h53q-7mhq.json

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5mf9-h53q-7mhq",
4+
"modified": "2026-04-08T15:29:16Z",
5+
"published": "2026-04-07T15:30:51Z",
6+
"aliases": [
7+
"CVE-2026-33033"
8+
],
9+
"summary": "Django has potential DoS via MultiPartParser through crafted multipart uploads",
10+
"details": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.\n\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0"
29+
},
30+
{
31+
"fixed": "6.0.4"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2"
48+
},
49+
{
50+
"fixed": "5.2.13"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2"
67+
},
68+
{
69+
"fixed": "4.2.30"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33033"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/django/django"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://groups.google.com/g/django-announce"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases"
96+
}
97+
],
98+
"database_specific": {
99+
"cwe_ids": [
100+
"CWE-407"
101+
],
102+
"severity": "MODERATE",
103+
"github_reviewed": true,
104+
"github_reviewed_at": "2026-04-08T15:29:16Z",
105+
"nvd_published_at": "2026-04-07T15:17:39Z"
106+
}
107+
}

advisories/github-reviewed/2026/04/GHSA-933h-hp56-hf7m/GHSA-933h-hp56-hf7m.json

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-933h-hp56-hf7m",
4+
"modified": "2026-04-08T15:29:09Z",
5+
"published": "2026-04-07T15:30:51Z",
6+
"aliases": [
7+
"CVE-2026-33034"
8+
],
9+
"summary": "Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit",
10+
"details": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory.\n\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0"
29+
},
30+
{
31+
"fixed": "6.0.4"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2"
48+
},
49+
{
50+
"fixed": "5.2.13"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2"
67+
},
68+
{
69+
"fixed": "4.2.30"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33034"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/django/django"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://groups.google.com/g/django-announce"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases"
96+
}
97+
],
98+
"database_specific": {
99+
"cwe_ids": [
100+
"CWE-770"
101+
],
102+
"severity": "HIGH",
103+
"github_reviewed": true,
104+
"github_reviewed_at": "2026-04-08T15:29:09Z",
105+
"nvd_published_at": "2026-04-07T15:17:39Z"
106+
}
107+
}

advisories/unreviewed/2026/04/GHSA-5mf9-h53q-7mhq/GHSA-5mf9-h53q-7mhq.json

Lines changed: 0 additions & 44 deletions
This file was deleted.

advisories/unreviewed/2026/04/GHSA-933h-hp56-hf7m/GHSA-933h-hp56-hf7m.json

Lines changed: 0 additions & 44 deletions
This file was deleted.

0 commit comments

Comments
 (0)