August 3, 2022
Django 4.0.7 fixes a security issue with severity “high” in 4.0.6.
An application may have been vulnerable to a reflected file download (RFD)
attack that sets the Content-Disposition header of a
FileResponse when the
filename was derived from
user-supplied input. The
filename is now escaped to avoid this possibility.