CVE-2026-53878
Received
Received - Intake
HTTP Header Injection via DomainNameValidator in Django
Vulnerability report for CVE-2026-53878, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-07
Last updated on: 2026-07-07
Assigner: Django Software Foundation
Description
Description
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.
`DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Bence Nagy for reporting this issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| django | django | to 5.2.16 (exc) |
| django | django | to 6.0.7 (exc) |
| django | django | 5.0 |
| django | django | 4.1 |
| django | django | 3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-144 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component. |