An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

The detected version of the Django Python package, Django, is 4.2.x prior to 4.2.28, 5.2.x prior to 5.2.11, or 6.0.x prior to 6.0.2. It is, therefore, affected by multiple vulnerabilities as referenced by security release advisory:

  - The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allows     remote attackers to enumerate users via a timing attack. (CVE-2025-13473)

  - ASGIRequest allows a remote attacker to cause a potential denial-of-service via a crafted request with     multiple duplicate headers. (CVE-2025-14550)

  - Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the     band index parameter. (CVE-2026-1207)

  - django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the     truncatechars_html and truncatewords_html template filters allow a remote attacker to cause a potential     denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. (CVE-2026-1285)

  - FilteredRelation is subject to SQL injection in column aliases via control characters, using a suitably     crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(),     aggregate(), extra(), values(), values_list(), and alias(). (CVE-2026-1287)

  - QuerySet.order_by() is subject to SQL injection in column aliases containing periods when the same alias     is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation.
    (CVE-2026-1312)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8009-1 advisory.

    It was discovered that Django exposed timing information when checking passwords. An attacker could     possibly use this issue to obtain sensitive information. (CVE-2025-13473)

    Jiyong Yang discovered that Django incorrectly handled malformed requests with duplicate headers. An     attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04     LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)

    Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An attacker could possibly use     this issue to perform SQL injection attacks. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,     Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1207)

    Seokchan Yoon discovered that Django incorrectly handled malformed HTML inputs containing a large amount     of unmatched HTML end tags. An attacker could possibly use this issue to cause a denial of service. This     issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04     LTS, and Ubuntu 25.10. (CVE-2026-1285)

    Solomon Kebede discovered that Django incorrectly handled control characters in the dictionary expansion     of certain QuerySet methods. An attacker could possibly use this issue to perform SQL injection attacks.
    (CVE-2026-1287)

    Solomon Kebede discovered that Django incorrectly handled column alias parsing with dictionary expansion.
    An attacker could possibly use this issue to perform SQL injection attacks. This issue only affected     Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-1312)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
    `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the     `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a     potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.
    Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be     affected. Django would like to thank Seokchan Yoon for reporting this issue. (CVE-2026-1285)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
298044	Python Library Django 4.2.x < 4.2.28 / 5.2.x < 5.2.11 / 6.0.x < 6.0.2 Multiple Vulnerabilities	Nessus	Misc.	medium
297803	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : Django vulnerabilities (USN-8009-1)	Nessus	Ubuntu Local Security Checks	critical
297741	Linux Distros Unpatched Vulnerability : CVE-2026-1285	Nessus	Misc.	high

Detections

Analytics

CVE-2026-1285

medium

Tenable Plugins

medium

critical

high