CVE-2026-48588

Source
https://cve.org/CVERecord?id=CVE-2026-48588
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48588.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48588
Aliases
Downstream
Related
Published
2026-07-07T14:09:32.687Z
Modified
2026-07-11T09:29:30.396448726Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Potential exposure of private data via cached Set-Cookie response
Details

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. UpdateCacheMiddleware and the cache_page() decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Chris Whyland for reporting this issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48588.json",
    "cna_assigner": "DSF",
    "cwe_ids": [
        "CWE-524"
    ]
}
References

Affected packages

Git / github.com/django/django

Affected ranges

Type
GIT
Repo
https://github.com/django/django
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "5.2"
        },
        {
            "fixed": "5.2.16"
        },
        {
            "introduced": "6.0"
        },
        {
            "fixed": "6.0.7"
        }
    ]
}

Affected versions

5.*
5.2
5.2.1
5.2.10
5.2.11
5.2.12
5.2.13
5.2.14
5.2.15
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
6.*
6.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48588.json"