PatchSiren

Djangoproject CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Djangoproject CVE published 2026-03-03

CVE-2026-25673

CVE-2026-25673 is a high-severity denial of service vulnerability affecting Django's URLField.to_python() function. The issue arises from the function's use of urllib.parse.urlsplit(), which performs NFKC normalization on Windows. This process is disproportionately slow for certain Unicode characters, allowing remote attackers to cause denial of service via large URL inputs containing these characters. Th [truncated]