Cyber Resilience

CVE-2026-1285

HighDDoS

Published: 03 February 2026

Published
03 February 2026
Modified
04 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 23.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1285 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1285 is a denial-of-service vulnerability in Django's text truncation utilities, specifically affecting the `django.utils.text.Truncator.chars()` and `Truncator.words()` methods when used with `html=True`, as well as the `truncatechars_html` and `truncatewords_html` template filters. The issue impacts Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Earlier unsupported series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be affected.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity by supplying crafted inputs containing a large number of unmatched HTML end tags to the affected functions or filters. Successful exploitation leads to resource exhaustion and potential denial-of-service, with no impact on confidentiality or integrity. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-407.

Django has issued security releases addressing this issue, recommending upgrades to version 6.0.2, 5.2.11, or 4.2.28 or later for supported series. Mitigation details and patches are documented in the official advisories at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce group at https://groups.google.com/g/django-announce, and the security release weblog at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/. The issue was reported by Seokchan Yoon.

EU & UK References

Vulnerability details

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs…

more

containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of the Django truncation functions/filters via crafted HTML input directly enables T1190 (public-facing web app) and results in application-layer resource exhaustion mapped to T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-14550Same product: Djangoproject Django
CVE-2026-33034Same product: Djangoproject Django
CVE-2026-25673Same product: Djangoproject Django
CVE-2026-3902Same product: Djangoproject Django
CVE-2026-1207Same product: Djangoproject Django
CVE-2026-4277Same product: Djangoproject Django
CVE-2025-64459Same product: Djangoproject Django
CVE-2024-56374Same product: Djangoproject Django
CVE-2025-26699Same product: Djangoproject Django
CVE-2026-34573Shared CWE-407

Affected Assets

djangoproject
django
4.2 — 4.2.28 · 5.2 — 5.2.11 · 6.0 — 6.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly addressing this CVE by mandating patching to Django versions 6.0.2, 5.2.11, or 4.2.28.

prevent

SI-10 mandates validation of information inputs, preventing exploitation by rejecting or sanitizing crafted inputs with large numbers of unmatched HTML end tags before they reach the vulnerable Truncator methods or template filters.

prevent

SC-5 implements denial-of-service protections at system entry points, mitigating resource exhaustion from remote crafted inputs targeting Django's HTML truncation utilities.

References