=========================== Django 5.2.16 release notes =========================== *July 7, 2026* Django 5.2.16 fixes three security issues with severity "low" in 5.2.15. CVE-2026-48588: Potential exposure of private data via cached ``Set-Cookie`` response ===================================================================================== :class:`~django.middleware.cache.UpdateCacheMiddleware` and :func:`~django.views.decorators.cache.cache_page` avoided caching responses that set a cookie while varying on ``Cookie`` only when the incoming request contained no cookies at all. When the request already carried an unrelated cookie (such as a language or theme preference cookie), the protection did not apply, allowing a response that sets a session or other sensitive cookie to be stored in Django's shared cache. This issue has severity "low" according to the :ref:`Django security policy `. CVE-2026-53877: Heap buffer over-read in ``GDALRaster`` ======================================================= When :class:`~django.contrib.gis.gdal.GDALRaster` was instantiated with a bytes object representing a raster file, the :attr:`~django.contrib.gis.gdal.GDALRaster.vsi_buffer` property could over-read the allocated buffer by approximately 32 bytes. This could result in information disclosure of adjacent heap memory or, in rare cases, a segmentation fault. Only rasters stored in GDAL's virtual filesystem were affected. This issue has severity "low" according to the :ref:`Django security policy `. CVE-2026-53878: Header injection possibility since ``DomainNameValidator`` accepted newlines in input ===================================================================================================== :class:`~django.core.validators.DomainNameValidator` accepted newlines in domain names. If such values were included in HTTP responses, header injection attacks were possible. Django itself wasn't vulnerable because :class:`~django.http.HttpResponse` prohibits newlines in HTTP headers. The vulnerability only affected uses of ``DomainNameValidator`` outside Django form fields, as ``CharField`` strips newlines by default. This issue has severity "low" according to the :ref:`Django security policy `.