GHSA-4rrr-2h4v-f3j9 · Severity: low · Ecosystem: pip — Django has Inefficient Algorithmic Complexity
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Conclusion & alert: CVE-2026-1285 is rated Moderate Risk (51.2/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.99%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.06% | 0.99% | +0.94% |
| 2 | 2026-02-13 | 0.04% | 0.06% | +0.02% |
| 3 | 2026-02-06 | — | 0.04% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-4rrr-2h4v-f3j9 · Severity: low · Ecosystem: pip — Django has Inefficient Algorithmic Complexity
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2026-1285: 1 source package rows (py3-django); 2 state rows across 2 repos (3.23-community, edge-community); fixed 2, open 0. | https://security.alpinelinux.org/vuln/CVE-2026-1285 |
debian
|
not yet assigned | CVE-2026-1285 not yet assigned priority: Debian including 1 source packages (python-django), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2026-1285 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-1285 |
suse
|
high | CVE-2026-1285 severity important: SUSE including 11 source package names (python3-Django-2.2.28-bp156.30.1, python311-Django-4.2.11-150600.3.47.1, …), 13 product×package rows across 5 product lines (SUSE Linux Enterprise Module for Package Hub 15 SP7, SUSE Package Hub 15 SP6, … (5 product lines)): Fixed 13. | https://www.suse.com/security/cve/CVE-2026-1285/ |
ubuntu
|
medium | CVE-2026-1285 medium priority: Ubuntu including 1 source packages (python-django), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): released 7, not-affected 1. | https://ubuntu.com/security/CVE-2026-1285 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| djangoproject | django | >= 4.2, < 4.2.28 | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* |
| djangoproject | django | >= 5.2, < 5.2.11 | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* |
| djangoproject | django | >= 6.0, < 6.0.2 | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://docs.djangoproject.com/en/dev/releases/security/ | Patch Vendor Advisory |
| https://groups.google.com/g/django-announce | Release Notes |
| https://www.djangoproject.com/weblog/2026/feb/03/security-releases/ | Patch Vendor Advisory |