Detections
Analytics
Python Library Django 4.2.x < 4.2.29 / 5.2.x < 5.2.12 / 6.0.x < 6.0.3 DoS
high Nessus Plugin ID 300915
Synopsis
A Python library installed on the remote host is affected by a denial of service vulnerability.Description
The detected version of the Django Python package, is 4.2.x prior to 4.2.29, 5.2.x prior to 5.2.12, or 6.0.x prior to 6.0.3. It is, therefore, affected by a denial of service vulnerability as referenced by security release advisory:- An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. (CVE-2026-25673)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Django version 4.2.29, 5.2.12, 6.0.3 or later.See Also
https://www.djangoproject.com/weblog/2026/mar/03/security-releases/
Plugin Details
Severity: High
ID: 300915
File Name: python_django_6_0_3.nasl
Version: 1.1
Type: local
Agent: windows
Family: Windows
Published: 3/5/2026
Updated: 3/5/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: High
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS Score Source: CVE-2026-25673
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score Source: CVE-2026-25673
Vulnerability Information
CPE: cpe:/a:djangoproject:django
Patch Publication Date: 3/3/2026
Vulnerability Publication Date: 3/3/2026
Reference Information
CVE: CVE-2026-25673
IAVA: 2026-A-0199