Low severityOSV Advisory· Published Feb 3, 2026· Updated Feb 3, 2026
Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods
CVE-2026-1285
Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 6.0a1, < 6.0.2 | 6.0.2 |
DjangoPyPI | >= 5.2a1, < 5.2.11 | 5.2.11 |
DjangoPyPI | >= 4.2a1, < 4.2.28 | 4.2.28 |
Affected products
1- Range: 4.2, 4.2.1, 4.2.10, …
Patches
1a33540b3e20bFixed CVE-2026-1285 -- Mitigated potential DoS in django.utils.text.Truncator for HTML input.
5 files changed · +51 −4
django/utils/text.py+5 −4 modified@@ -126,10 +126,11 @@ def handle_starttag(self, tag, attrs): def handle_endtag(self, tag): if tag not in self.void_elements: self.output.append(f"</{tag}>") - try: - self.tags.remove(tag) - except ValueError: - pass + # Remove from the stack only if the tag matches the most recently + # opened tag (LIFO). This avoids O(n) linear scans for unmatched + # end tags if `deque.remove()` would be called. + if self.tags and self.tags[0] == tag: + self.tags.popleft() def handle_data(self, data): data, output = self.process(data)
docs/releases/4.2.28.txt+12 −0 modified@@ -41,3 +41,15 @@ As a reminder, all untrusted user input should be validated before use. This issue has severity "high" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2026-1285: Potential denial-of-service vulnerability in ``django.utils.text.Truncator`` HTML methods +======================================================================================================== + +``django.utils.text.Truncator.chars()`` and ``Truncator.words()`` methods (with +``html=True``) and the :tfilter:`truncatechars_html` and +:tfilter:`truncatewords_html` template filters were subject to a potential +denial-of-service attack via certain inputs with a large number of unmatched +HTML end tags, which could cause quadratic time complexity during HTML parsing. + +This issue has severity "moderate" according to the :ref:`Django security +policy <security-disclosure>`.
docs/releases/5.2.11.txt+12 −0 modified@@ -41,3 +41,15 @@ As a reminder, all untrusted user input should be validated before use. This issue has severity "high" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2026-1285: Potential denial-of-service vulnerability in ``django.utils.text.Truncator`` HTML methods +======================================================================================================== + +``django.utils.text.Truncator.chars()`` and ``Truncator.words()`` methods (with +``html=True``) and the :tfilter:`truncatechars_html` and +:tfilter:`truncatewords_html` template filters were subject to a potential +denial-of-service attack via certain inputs with a large number of unmatched +HTML end tags, which could cause quadratic time complexity during HTML parsing. + +This issue has severity "moderate" according to the :ref:`Django security +policy <security-disclosure>`.
docs/releases/6.0.2.txt+12 −0 modified@@ -42,6 +42,18 @@ As a reminder, all untrusted user input should be validated before use. This issue has severity "high" according to the :ref:`Django security policy <security-disclosure>`. +CVE-2026-1285: Potential denial-of-service vulnerability in ``django.utils.text.Truncator`` HTML methods +======================================================================================================== + +``django.utils.text.Truncator.chars()`` and ``Truncator.words()`` methods (with +``html=True``) and the :tfilter:`truncatechars_html` and +:tfilter:`truncatewords_html` template filters were subject to a potential +denial-of-service attack via certain inputs with a large number of unmatched +HTML end tags, which could cause quadratic time complexity during HTML parsing. + +This issue has severity "moderate" according to the :ref:`Django security +policy <security-disclosure>`. + Bugfixes ========
tests/utils_tests/test_text.py+10 −0 modified@@ -202,6 +202,16 @@ def test_truncate_chars_html_with_html_entities(self): truncator = text.Truncator("<p>I <3 python, what about you?</p>") self.assertEqual("<p>I <3 python, wh…</p>", truncator.chars(16, html=True)) + def test_truncate_chars_html_with_misnested_tags(self): + # LIFO removal keeps all tags when a middle tag is closed out of order. + # With <a><b><c></b>, the </b> doesn't match <c>, so all tags remain + # in the stack and are properly closed at truncation. + truncator = text.Truncator("<a><b><c></b>XXXX") + self.assertEqual( + truncator.chars(2, html=True, truncate=""), + "<a><b><c></b>XX</c></b></a>", + ) + def test_truncate_words(self): truncator = text.Truncator("The quick brown fox jumped over the lazy dog.") self.assertEqual(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- docs.djangoproject.com/en/dev/releases/security/mitrevendor-advisory
- github.com/advisories/GHSA-4rrr-2h4v-f3j9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1285ghsaADVISORY
- www.djangoproject.com/weblog/2026/feb/03/security-releases/mitrevendor-advisory
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344ghsaWEB
- groups.google.com/g/django-announceghsamailing-listWEB
- www.djangoproject.com/weblog/2026/feb/03/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.