CVE-2026-1285
Published: 03 February 2026
Summary
CVE-2026-1285 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1285 is a denial-of-service vulnerability in Django's text truncation utilities, specifically affecting the `django.utils.text.Truncator.chars()` and `Truncator.words()` methods when used with `html=True`, as well as the `truncatechars_html` and `truncatewords_html` template filters. The issue impacts Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Earlier unsupported series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be affected.
A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity by supplying crafted inputs containing a large number of unmatched HTML end tags to the affected functions or filters. Successful exploitation leads to resource exhaustion and potential denial-of-service, with no impact on confidentiality or integrity. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-407.
Django has issued security releases addressing this issue, recommending upgrades to version 6.0.2, 5.2.11, or 4.2.28 or later for supported series. Mitigation details and patches are documented in the official advisories at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce group at https://groups.google.com/g/django-announce, and the security release weblog at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/. The issue was reported by Seokchan Yoon.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5251
Vulnerability details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs…
more
containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of the Django truncation functions/filters via crafted HTML input directly enables T1190 (public-facing web app) and results in application-layer resource exhaustion mapped to T1499.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of system flaws, directly addressing this CVE by mandating patching to Django versions 6.0.2, 5.2.11, or 4.2.28.
SI-10 mandates validation of information inputs, preventing exploitation by rejecting or sanitizing crafted inputs with large numbers of unmatched HTML end tags before they reach the vulnerable Truncator methods or template filters.
SC-5 implements denial-of-service protections at system entry points, mitigating resource exhaustion from remote crafted inputs targeting Django's HTML truncation utilities.