Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Published: 2026-02-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

An attacker can trigger a denial‑of‑service condition by submitting data that contains a large number of unmatched HTML end tags to Django’s truncation utilities when the html flag is enabled. The vulnerability is rooted in resource exhaustion; operations that parse the malformed HTML can consume excessive memory, leading to high CPU usage or crashes. This flaw is categorized as CWE‑407 (Excessive Resource Consumption) and CWE‑770 (Uncontrolled Memory Allocation).

Affected Systems

The issue affects the Django framework. Versions 6.0 prior to 6.0.2, 5.2 prior to 5.2.11, and 4.2 prior to 4.2.28 are vulnerable. Older Django series such as 5.0.x, 4.1.x, and 3.2.x were not examined but may also be affected.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. While the EPSS score is below 1%, meaning that the probability of exploitation has historically been low, the lack of a KEV listing does not mitigate the risk. Exploitation requires an attacker to supply crafted input to an endpoint using Truncator.chars(), Truncator.words(), or the corresponding template filters with html=True. Successfully leveraged, the attacker can cause the target application to consume excessive resources and potentially become unavailable, though remote code execution is not supported.

Generated by OpenCVE AI on April 18, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to version 6.0.2, 5.2.11, or 4.2.28 or later to incorporate the fixed logic.
  • If an upgrade cannot be performed immediately, eliminate the use of Truncator methods or the truncatechars_html and truncatewords_html filters wherever possible to prevent the vulnerability from being triggered.
  • Implement input validation that rejects or sanitizes payloads containing an excessive number of unmatched HTML end tags, reducing the chance of resource exhaustion.

Generated by OpenCVE AI on April 18, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4484-1 python-django security update
Debian DSA Debian DSA DSA-6150-1 python-django security update
Github GHSA Github GHSA GHSA-4rrr-2h4v-f3j9 Django has Inefficient Algorithmic Complexity
Ubuntu USN Ubuntu USN USN-8009-1 Django vulnerabilities
History

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 04 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 03 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Title Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods
Weaknesses CWE-407
References

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-02-03T16:22:33.352Z

Reserved: 2026-01-21T12:49:21.258Z

Link: CVE-2026-1285

cve-icon Vulnrichment

Updated: 2026-02-03T16:22:24.499Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T15:16:13.570

Modified: 2026-02-04T17:09:01.357

Link: CVE-2026-1285

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-03T14:35:50Z

Links: CVE-2026-1285 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses