VIR Vulnerability Intelligence Relay

CVE-2026-5766

medium
Published 2026-05-05 · Modified 2026-05-20
CVSS v3
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS v2
VIR risk
5.3

Description

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.

Predictions

Exploit likelihood
63%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-5766

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-5766.html

vendor Authored 2026-05-27

Vendor advisory: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 — https://www.djangoproject.com/weblog/2026/may/05/security-releases/

vendor Authored 2026-05-27

Vendor advisory: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 — https://docs.djangoproject.com/en/dev/releases/security/

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyaffected
debian debiansidfixed3:5.2.14-1
debian debiantrixieaffected

Package impact
EcosystemPackageVulnerableFixed
python PyPIdjango>=6.0,<6.0.56.0.5
python PyPIdjango>=5.2,<5.2.145.2.14
PIPDjango>= 5.2, < 5.2.145.2.14
PIPDjango>= 6.0, < 6.0.56.0.5

Application impact
VendorProductVersionsFixed
djangoprojectdjango{"startIncluding":"5.2","endExcluding":"5.2.14"}5.2.14

References

CWEs

CWE-130

Verify integrity in audit chain (admin only). AS-IS.