GHSA-mjgh-79qc-68w3 · Severity: low · Ecosystem: pip — Django has a Race Condition vulnerability
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Conclusion & alert: CVE-2026-25674 is rated Low Risk (17.1/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.03%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-04 | — | 0.03% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 3.7 | 3.1 | LOW |
|
2.2 | 1.4 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-mjgh-79qc-68w3 · Severity: low · Ecosystem: pip — Django has a Race Condition vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2026-25674: 1 source package rows (py3-django); 1 state rows across 1 repos (3.23-community); fixed 1, open 0. | https://security.alpinelinux.org/vuln/CVE-2026-25674 |
debian
|
not yet assigned | CVE-2026-25674 not yet assigned priority: Debian including 1 source packages (python-django), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2026-25674 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2026-25674 |
suse
|
medium | CVE-2026-25674 severity moderate: SUSE including 7 source package names (python311-Django-4.2.11-150600.3.50.1, python311-Django-5.2.12-1.1, …), 8 product×package rows across 4 product lines (SUSE Linux Enterprise Module for Package Hub 15 SP7, openSUSE Leap 15.6, openSUSE Leap 16.0, openSUSE Tumbleweed): Fixed 8. | https://www.suse.com/security/cve/CVE-2026-25674/ |
ubuntu
|
low | CVE-2026-25674 low priority: Ubuntu including 1 source packages (python-django), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): needs-triage 8. | https://ubuntu.com/security/CVE-2026-25674 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| djangoproject | django | >= 4.2.0, < 4.2.29 | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* |
| djangoproject | django | >= 5.2, < 5.2.12 | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* |
| djangoproject | django | >= 6.0, < 6.0.3 | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://docs.djangoproject.com/en/dev/releases/security/ | Vendor Advisory Patch |
| https://groups.google.com/g/django-announce | Release Notes |
| https://www.djangoproject.com/weblog/2026/mar/03/security-releases/ | Patch Vendor Advisory |