CVE-2026-1285
Published: 03 February 2026
Summary
CVE-2026-1285 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Addresses inefficient algorithms whose complexity can be exploited for DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of the Django truncation functions/filters via crafted HTML input directly enables T1190 (public-facing web app) and results in application-layer resource exhaustion mapped to T1499.004.
NVD Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs…
more
containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Deeper analysisAI
CVE-2026-1285 is a denial-of-service vulnerability in Django's text truncation utilities, specifically affecting the `django.utils.text.Truncator.chars()` and `Truncator.words()` methods when used with `html=True`, as well as the `truncatechars_html` and `truncatewords_html` template filters. The issue impacts Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Earlier unsupported series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be affected.
A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity by supplying crafted inputs containing a large number of unmatched HTML end tags to the affected functions or filters. Successful exploitation leads to resource exhaustion and potential denial-of-service, with no impact on confidentiality or integrity. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-407.
Django has issued security releases addressing this issue, recommending upgrades to version 6.0.2, 5.2.11, or 4.2.28 or later for supported series. Mitigation details and patches are documented in the official advisories at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce group at https://groups.google.com/g/django-announce, and the security release weblog at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/. The issue was reported by Seokchan Yoon.
Details
- CWE(s)