View all Vulnerabilities

CVE-2026-3902

Content Spoofing
Affects
Django
in
Django
No items found.
Versions
<=3.2.25, <=4.2.29, <=5.2.13, <=6.0.4
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.

An improper sanitization vulnerability (CVE-2026-3902) has been identified in Django, which allows attackers to gain access to sensitive information through improperly handled error responses. This issue stems from inadequate sanitization of certain exception messages, which may expose internal application details when errors are triggered. This unintended information exposure can aid attackers in reconnaissance efforts and increase the risk of further exploitation within affected Django applications.

Per OWASP: Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

Details

Module Info

Vulnerability Info

This Low-severity vulnerability is found in the core package in all published versions of Django.

Normally, Django carefully handles error reporting to avoid exposing sensitive internal details to end users. In particular, exception handling mechanisms are designed to limit the amount of diagnostic information returned in HTTP responses, ensuring that stack traces, configuration details, or other internal data are not inadvertently disclosed.

However, due to improper sanitization of certain error responses, an attacker can trigger specific exceptions that cause Django to return overly detailed error messages. This behavior may expose sensitive information about the application’s internal structure, configuration, or execution flow, increasing the risk of targeted attacks.

This issue arises from insufficient filtering of exception data before it is included in HTTP responses, enabling attackers to leverage crafted inputs to extract information that should otherwise remain protected within the application.

Mitigation

Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Django.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Tarek Nakkouch (finder)

Pink arrow
Pink arrow
CVE-2026-1287
CVE-2026-1312
CVE-2026-3902
CVE-2026-4277
CVE-2026-4292
CVE-2026-25673
CVE-2026-25674
CVE-2026-33033
CVE-2026-33034
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-3902
PROJECT Affected
Django
Versions Affected
<=3.2.25, <=4.2.29, <=5.2.13, <=6.0.4
NES Versions Affected
Published date
June 2, 2026
≈ Fix date
April 29, 2026
Fixed in
NES for Django
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Django
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.