Alerts This Week
Warning Icon 1 659
Alerts This Week
Warning Icon 1 659

Ubuntu 24 node-express10 Major RCE Vulnerability Patch 2026-a1234567bc

fedora
Calendar Grey May 14, 2026
Dist Fedora Esm H88
Addressing multiple issues in python-django5 for Fedora 42, including denial of service, session fixation, and privilege abuse.
Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass Fixes CVE-2026-35192: Session fixation via public cached pages and SESS...

Summary

Django is a high-level Python Web framework that encourages rapid

development and a clean, pragmatic design. It focuses on automating as

much as possible and adhering to the DRY (Don't Repeat Yourself)

principle.

Update Information:

Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

Topics%20covered

Topics Covered

security advisory denial of service fedora python session fixation privilege abuse

Change Log

* Tue May 12 2026 Michel Lind - 5.2.14-1 - Update to version 5.2.14; Resolves RHBZ#2444117 - Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass - Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST - Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware - Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation - Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin - Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable - Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload - Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass - Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects

References


[ 1 ] Bug #2444117 - python-django5-5.2.14 is available https://bugzilla.redhat.com/show_bug.cgi?id=2444117

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-b9548393aa' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: python-django5
Product: Fedora 42
Version: 5.2.14
Release: 1.fc42
URL: https://www.djangoproject.com/
Summary: A high-level Python Web framework

Topics%20covered

Topics Covered

security advisory denial of service fedora python session fixation privilege abuse

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here