Denial-of-Service Vulnerability in Django Framework Affecting Multiple Versions
CVE-2026-1285

7.5HIGH

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 February 2026

What is CVE-2026-1285?

A vulnerability has been identified in multiple versions of the Django framework, which allows remote attackers to exploit the django.utils.text.Truncator.chars() and Truncator.words() methods, particularly when using the html=True configuration. This exploitation can potentially lead to a denial-of-service condition by providing crafted input filled with unmatched HTML end tags. It's important to note that previous unsupported versions of Django, such as 5.0.x, 4.1.x, and 3.2.x, may also be susceptible to similar threats.

Affected Version(s)

Django 6.0 < 6.0.2

Django 5.2 < 5.2.11

Django 4.2 < 4.2.28

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/feb/03/security...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Seokchan Yoon
Natalia Bidart
Jacob Walls
.