ByteOS Network

NVD Vulnerability Details :

CVE-2026-25673

Awaiting Analysis

Source-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92

Published At-03 Mar, 2026 | 15:16

Updated At-03 Mar, 2026 | 21:52

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Type: Secondary

Version: 3.1

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CWE ID	Type	Source
CWE-400	Secondary	6a34fbeb-21d4-45e7-8e0a-62b95bc12c92

CWE ID: CWE-400

Type: Secondary

Source: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92

References

Hyperlink	Source	Resource
https://docs.djangoproject.com/en/dev/releases/security/	6a34fbeb-21d4-45e7-8e0a-62b95bc12c92	N/A
https://groups.google.com/g/django-announce	6a34fbeb-21d4-45e7-8e0a-62b95bc12c92	N/A
https://www.djangoproject.com/weblog/2026/mar/03/security-releases/	6a34fbeb-21d4-45e7-8e0a-62b95bc12c92	N/A