Is django affected by CVE-2026-35193?

PyPI django is affected in >=5.2 =6.0 <6.0.6.

Is CVE-2026-35193 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

← All vulnerabilities

MEDIUMSupply chain

CVE-2026-35193

Q: Is CVE-2026-35193 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

PyPI · django

Summary

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read priva

References

https://groups.google.com/g/django-announce
https://docs.djangoproject.com/en/dev/releases/security/
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

Related vulnerabilities

All Supply chain →

HIGHCVE-2026-52801
Gogs has the ability to import local repositories via Mirror Settings
HIGHCVE-2026-52800
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
HIGHCVE-2026-52799
Gogs Missing Authorization in Attachment Download
HIGHCVE-2026-52798
Gogs has Stored XSS in `.ipynb` Preview
MEDIUMCVE-2026-50179
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
HIGHCVE-2026-54353
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation