Improper Input Validation in Django Framework Affecting Multiple Versions
CVE-2026-4292

2.7LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
7 April 2026

What is CVE-2026-4292?

An input validation flaw in the Django Framework allows for the potential creation of new instances through forged POST data, impacting several versions prior to specific updates. This issue can potentially be exploited if proper validation is not enforced on admin changelist forms, resulting in unauthorized data manipulation. Notably, earlier unsupported Django series may also be impacted, underscoring the necessity for users to update to fixed versions to ensure security. The vulnerability was responsibly disclosed by Cantina, highlighting the importance of community engagement in addressing security challenges.

Affected Version(s)

Django 6.0 < 6.0.4

Django 5.2 < 5.2.13

Django 4.2 < 4.2.30

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/apr/07/security...
vendor-advisory

CVSS V3.1

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Cantina
Jacob Walls
Jacob Walls
.