Django 4.2.26 release notes

November 5, 2025

Django 4.2.26 fixes one security issue with severity « high » and one security issue with severity « moderate » in 4.2.25.

CVE-2025-64458: Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows

Python’s NFKC normalization is slow on Windows. As a consequence, HttpResponseRedirect, HttpResponsePermanentRedirect, and the shortcut redirect() were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters (follow up to CVE 2025-27556).

CVE-2025-64459: Potential SQL injection via _connector keyword argument

QuerySet.filter(), exclude(), get(), and Q were subject to SQL injection using a suitably crafted dictionary, with dictionary expansion, as the _connector argument.

« previous | up | next »