VDB
CVE-2026-35192
CVE-2026-35192
PUBLISHED
CVSS 2.299999952316284 LOW
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
EPSS 0.04% · 12.9th percentile
Risk Scores
CVSS v4.0
2.299999952316284
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.04%
12.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| djangoproject | Django | 6.0, 6.0.5, 5.2 |
Timeline
- May 5, 2026 CVE Published
- May 5, 2026 PoC Published
- May 5, 2026 Security Advisory
- May 8, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- Django security archive vendor-advisory
- Django releases announcements mailing-list
- Django security releases issued: 6.0.5 and 5.2.14 vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-35192 advisory
- https://docs.djangoproject.com/en/dev/releases/security url
- https://www.djangoproject.com/weblog/2026/may/05/security-releases url