CVE-2026-1285
📋 TL;DR
This vulnerability in Django allows remote attackers to cause denial-of-service by sending crafted inputs with many unmatched HTML end tags to specific text truncation functions. It affects Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, potentially including earlier unsupported series.
💻 Affected Systems
- Django
📦 What is this software?
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion from processing malicious inputs, potentially affecting all users of the Django application.
Likely Case
Degraded performance or temporary service disruption for affected endpoints using vulnerable truncation functions with HTML content.
If Mitigated
Minimal impact with proper input validation, rate limiting, and updated Django versions.
🎯 Exploit Status
Exploitation requires sending crafted HTML with many unmatched end tags to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.2, 5.2.11, 4.2.28
Vendor Advisory: https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Restart Required: Yes
Instructions:
1. Identify Django version. 2. Upgrade to patched version: pip install Django==6.0.2 (or 5.2.11/4.2.28). 3. Restart Django application. 4. Test functionality.
🔧 Temporary Workarounds
Disable HTML truncation filters
allReplace vulnerable truncatechars_html and truncatewords_html template filters with non-HTML alternatives or custom safe implementations.
Input validation and sanitization
allImplement strict input validation to reject or sanitize HTML content with excessive unmatched tags before processing.
🧯 If You Can't Patch
- Implement WAF rules to block requests with excessive HTML end tags
- Apply rate limiting to endpoints using vulnerable truncation functions
🔍 How to Verify
Check if Vulnerable:
Check Django version and if application uses vulnerable truncation functions with html=True in code or templates.Check Version:
python -c "import django; print(django.get_version())"Verify Fix Applied:
Confirm Django version is 6.0.2, 5.2.11, or 4.2.28 or higher using version check command.📡 Detection & Monitoring
Log Indicators:
- Unusually long processing times for requests with HTML content
- High CPU/memory usage spikes from Django processes
Network Indicators:
- Requests containing large numbers of HTML end tags (e.g., many </div> tags without opening tags)
SIEM Query:
source="django" AND (message="timeout" OR message="slow response") AND uri="*" AND user_agent!="*bot*"