Django 5.2.16 release notes¶
July 7, 2026
Django 5.2.16 fixes three security issues with severity “low” in 5.2.15.
CVE-2026-53877: Heap buffer over-read in GDALRaster¶
When GDALRaster was instantiated with a bytes
object representing a raster file, the
vsi_buffer property could over-read
the allocated buffer by approximately 32 bytes. This could result in
information disclosure of adjacent heap memory or, in rare cases, a
segmentation fault. Only rasters stored in GDAL’s virtual filesystem were
affected.
This issue has severity “low” according to the Django security policy.
CVE-2026-53878: Header injection possibility since DomainNameValidator accepted newlines in input¶
DomainNameValidator accepted newlines in
domain names. If such values were included in HTTP responses, header injection
attacks were possible. Django itself wasn’t vulnerable because
HttpResponse prohibits newlines in HTTP headers.
The vulnerability only affected uses of DomainNameValidator outside Django
form fields, as CharField strips newlines by default.
This issue has severity “low” according to the Django security policy.