VDB
CVE-2026-6907
CVE-2026-6907
PUBLISHED
CVSS 4.300000190734863 MEDIUM
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.
EPSS 0.03% · 10.2th percentile
Risk Scores
CVSS v3.1
4.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Score
0.03%
10.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| djangoproject | Django | 6.0.5, 5.2, 5.2.14 |
Timeline
- May 5, 2026 CVE Published
- May 5, 2026 PoC Published
- May 5, 2026 Security Advisory
- May 6, 2026 EPSS Score
- May 8, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
References
- Django security archive vendor-advisory
- Django releases announcements mailing-list
- Django security releases issued: 6.0.5 and 5.2.14 vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-6907 advisory
- https://docs.djangoproject.com/en/dev/releases/security url
- https://www.djangoproject.com/weblog/2026/may/05/security-releases url