CVE-2026-1285 Overview
CVE-2026-1285 is a denial-of-service vulnerability in the Django web framework. The flaw resides in django.utils.text.Truncator.chars() and Truncator.words() methods when invoked with html=True, as well as the truncatechars_html and truncatewords_html template filters. A remote attacker can submit crafted input containing a large number of unmatched HTML end tags to trigger excessive processing. The issue affects Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Unsupported series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated and may also be affected. Django credited Seokchan Yoon for reporting the issue.
Critical Impact
Remote unauthenticated attackers can exhaust application resources and render Django-based web applications unavailable by submitting crafted HTML inputs to endpoints that invoke the affected truncation routines.
Affected Products
- Django 6.0 before 6.0.2
- Django 5.2 before 5.2.11
- Django 4.2 before 4.2.28
Discovery Timeline
- 2026-02-03 - Django publishes coordinated security release addressing the issue, with credit to Seokchan Yoon
- 2026-02-03 - CVE-2026-1285 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-1285
Vulnerability Analysis
The vulnerability is an algorithmic complexity flaw classified under [CWE-407] (Inefficient Algorithmic Complexity). It affects Django's text truncation utilities responsible for shortening HTML-bearing strings while keeping tag structure intact. When html=True is set on Truncator.chars() or Truncator.words(), or when the truncatechars_html and truncatewords_html template filters are used, Django must parse and rebalance HTML tags within the input. Crafted inputs containing a large volume of unmatched HTML end tags force the truncation logic into expensive processing paths. The result is high CPU utilization on the worker handling the request, which can stall request handling for other users.
Root Cause
The root cause is inefficient handling of malformed HTML during truncation. The truncator does not bound the work performed when reconciling unmatched closing tags. Each additional unmatched end tag amplifies the processing cost, producing a denial-of-service condition without requiring authentication, special privileges, or user interaction.
Attack Vector
Exploitation is network-based. Any Django view, template, or API endpoint that passes attacker-controlled text through the affected truncation routines becomes an attack surface. Common scenarios include comment systems, user profile fields, post previews, and search result snippets rendered with truncatechars_html or truncatewords_html. The attacker submits an HTTP request containing a payload of unmatched HTML end tags, repeating the request to amplify resource exhaustion against the application server.
No verified public exploit code is available. The vulnerability is described in prose because no realCodeExamples were provided. See the Django Weblog Security Updates for vendor technical details.
Detection Methods for CVE-2026-1285
Indicators of Compromise
- HTTP request bodies or query parameters containing abnormally large counts of unmatched HTML end tags such as </p>, </div>, or </span>.
- Sustained elevated CPU usage on Django worker processes correlated with specific endpoints that render or filter user-supplied HTML.
- Increased request latency or timeouts on views invoking truncatechars_html, truncatewords_html, or Truncator with html=True.
Detection Strategies
- Inspect web server and WSGI logs for repeated POST or GET requests to endpoints that handle rich text fields, especially with oversized payloads.
- Profile Django applications to identify hotspots in django.utils.text.Truncator during incidents.
- Add web application firewall rules to flag request bodies where the ratio of HTML closing tags to opening tags is heavily skewed.
Monitoring Recommendations
- Track per-endpoint CPU time and response time percentiles to surface algorithmic complexity attacks.
- Alert on worker process saturation, request queue growth, and 5xx error spikes on user-content endpoints.
- Correlate spikes in request size on text-heavy endpoints with backend resource utilization.
How to Mitigate CVE-2026-1285
Immediate Actions Required
- Upgrade to Django 6.0.2, 5.2.11, or 4.2.28 depending on the deployed branch.
- Audit application code for use of Truncator.chars(html=True), Truncator.words(html=True), truncatechars_html, and truncatewords_html on untrusted input.
- Enforce input size limits on fields that accept HTML before truncation routines process them.
- Apply rate limiting on endpoints that render user-supplied HTML through truncation filters.
Patch Information
Django released fixed versions 6.0.2, 5.2.11, and 4.2.28 on 2026-02-03. Patch details and upgrade instructions are available in the Django Security Release Notes and the Django Weblog Security Updates. Operators on unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x should migrate to a supported, patched branch.
Workarounds
- Switch templates from truncatechars_html and truncatewords_html to the non-HTML variants truncatechars and truncatewords where safe to do so.
- Pre-sanitize incoming HTML with a strict allowlist parser such as bleach before invoking truncation utilities.
- Cap request body size and field length at the reverse proxy or WAF layer to limit the volume of unmatched end tags that can reach the application.
# Configuration example
pip install --upgrade "Django>=4.2.28,<4.3" # 4.2 LTS branch
pip install --upgrade "Django>=5.2.11,<5.3" # 5.2 branch
pip install --upgrade "Django>=6.0.2,<6.1" # 6.0 branch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
