VDB
CVE-2026-5766
CVE-2026-5766
PUBLISHED
CVSS 5.300000190734863 MEDIUM
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.
EPSS 0.05% · 16.2th percentile
Risk Scores
CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score
0.05%
16.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| djangoproject | Django | 6.0, 5.2.14, 6.0.5 |
| AWS | config |
Timeline
- May 5, 2026 CVE Published
- May 5, 2026 PoC Published
- May 5, 2026 CVE Updated
- May 5, 2026 Security Advisory
- May 6, 2026 EPSS Score
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
References
- Django security archive vendor-advisory
- Django releases announcements mailing-list
- Django security releases issued: 6.0.5 and 5.2.14 vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-5766 advisory
- https://docs.djangoproject.com/en/dev/releases/security url
- https://www.djangoproject.com/weblog/2026/may/05/security-releases url