Detections
Analytics

Alpine: multiple py3-django packages: security update to 5.2.15-r0

low Tenable Cloud Security Plugin ID 443094

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
 `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating
 the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different
 from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation.
 Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
 affected. Django would like to thank Peng Zhou for reporting this issue. (CVE-2026-6873)

 - An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
 `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized
 connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network
 attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as
 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper
 Dupont for reporting this issue. (CVE-2026-7666)

 - An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
 `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response
 directives case-insensitively, which allows remote attackers to read responses that were incorrectly
 cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported
 Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would
 like to thank Ahmed Badawe for reporting this issue. (CVE-2026-8404)

 - An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
 `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary`
 response header for requests bearing that header without `Cache-Control: public`, which allows remote
 attackers to read private cached responses via unauthenticated requests to the same URL. Earlier,
 unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
 Django would like to thank Shai Berger for reporting this issue. (CVE-2026-35193)

 - An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
 `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary`
 response header values before comparison, which allows remote attackers to read cached responses via
 requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django
 series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to
 thank Navid Rezazadeh for reporting this issue. (CVE-2026-48587)

Solution

Update the py3-django library and its related packages to version 5.2.15-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-35193

https://security.alpinelinux.org/vuln/CVE-2026-48587

https://security.alpinelinux.org/vuln/CVE-2026-6873

https://security.alpinelinux.org/vuln/CVE-2026-7666

https://security.alpinelinux.org/vuln/CVE-2026-8404

Plugin Details

Severity: Low

ID: 443094

Version: Revision 1.2

Type: Local

Published: 6/12/2026

Updated: 6/26/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2026-8404

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.3

Threat Score: 0.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/3/2026

Reference Information

CVE: CVE-2026-35193, CVE-2026-48587, CVE-2026-6873, CVE-2026-7666, CVE-2026-8404