CVE-2026-35192
CVE-2026-35192 is a medium-severity vulnerability in Djangoproject Django with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-539.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v4: 2.3
- EPSS exploit prediction: 1% (42nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-27347
- Weakness: CWE-539
- Affected product: Djangoproject Django
- Published:
- Last modified:
Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
Frequently asked questions
- What is CVE-2026-35192?
- An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
- How severe is CVE-2026-35192?
- CVE-2026-35192 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-35192 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (42nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-35192?
- CVE-2026-35192 affects Djangoproject Django. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-35192?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-35192 have an EU (EUVD) identifier?
- Yes. CVE-2026-35192 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-27347.
- When was CVE-2026-35192 published?
- CVE-2026-35192 was published on 2026-05-05 and last updated on 2026-06-17.
References
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/g/django-announce
- https://www.djangoproject.com/weblog/2026/may/05/security-releases/
Affected products (1)
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
More vulnerabilities in Djangoproject Django
- CVE-2014-0474 — Critical (CVSS 10.0): The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11,…
- CVE-2026-4277 — Critical (CVSS 9.8): An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model…
- CVE-2024-53908 — Critical (CVSS 9.8): An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the…
- CVE-2023-31047 — Critical (CVSS 9.8): In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using…
- CVE-2022-34265 — Critical (CVSS 9.8): An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions…
- CVE-2022-28347 — Critical (CVSS 9.8): A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0…
All CVEs affecting Djangoproject Django →
Other CWE-539 vulnerabilities
- CVE-2025-27673 — Critical (CVSS 9.1): Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Cookie…
- CVE-2024-39275 — High (CVSS 8.0): Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a session is closed. Forging…
- CVE-2023-30861 — High (CVSS 7.5): Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response…
- CVE-2021-27463 — Medium (CVSS 5.3): A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected…
- CVE-2026-24318 — Medium (CVSS 4.2): Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an…
- CVE-2025-52633 — Low (CVSS 3.1): HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing…