Django releases security patches for three vulnerabilities in versions 6.0.5 and 5.2.14

The Django project released security updates on May 5, 2026 (versions 6.0.5 and 5.2.14) addressing three low-severity vulnerabilities. CVE-2026-5766 is an ASGI file upload limit bypass where requests with missing or understated Content-Length headers can bypass FILE_UPLOAD_MAX_MEMORY_SIZE, enabling DoS via memory exhaustion. CVE-2026-35192 is a session fixation vulnerability when SESSION_SAVE_EVERY_REQUEST is True, allowing attackers to steal sessions via cached public pages. CVE-2026-6907 involves UpdateCacheMiddleware incorrectly caching requests with Vary: * header, potentially exposing private data. All three are rated 'low' severity per Django's security policy.