Vulnerability Spoiler Alert

Vulnerability Spoiler Alert - django/django https://spaceraccoon.github.io/vulnerability-spoiler-alert Vulnerability alerts for django/django en-us Fri, 17 Apr 2026 01:52:35 GMT [MEDIUM] Denial of Service (DoS) in django/django https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/66 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/66 Tue, 03 Mar 2026 14:31:49 GMT Django's URLField.to_python() used urlsplit() to detect URL schemes, which on Windows performs NFKC Unicode normalization. This normalization is disproportionately slow for inputs containing certain Unicode characters (e.g., characters like '¾'), allowing an attacker to craft a POST payload that causes excessive CPU consumption. The patch replaces urlsplit() with str.partition(':') for scheme detection, avoiding Unicode normalization entirely. medium unverified [LOW] Incorrect Permissions / Race Condition (umask) in django/django https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/65 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/65 Tue, 03 Mar 2026 14:31:34 GMT In multi-threaded Django applications, the file-based cache backend and filesystem storage used temporary umask changes (via os.umask()) to control directory permissions when creating directories. Because os.umask() is a process-wide operation, a temporary umask change in one thread could affect directory/file creation in other threads, resulting in file system objects being created with unintended (potentially overly permissive) permissions. The patch replaces the umask manipulation approach with a safe_makedirs() function that uses os.chmod() after os.mkdir() to enforce the exact requested permissions. low unverified [MEDIUM] Cross-Site Scripting (XSS) in django/django https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/44 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/44 Fri, 20 Feb 2026 14:47:10 GMT The Django admin interface was vulnerable to XSS attacks when displaying model string representations that contained only whitespace or malicious scripts. The vulnerability occurred because whitespace-only strings were not properly sanitized before being rendered in HTML contexts, allowing attackers to inject malicious scripts through model __str__ methods. medium unverified