VYPR
Medium severity5.3GHSA Advisory· Published May 5, 2026· Updated May 7, 2026

CVE-2026-5766

CVE-2026-5766

Description

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
DjangoPyPI
>= 6.0, < 6.0.56.0.5
DjangoPyPI
>= 5.2, < 5.2.145.2.14

Affected products

17

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.