Update dependency django to v6.0.5 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
django (changelog)	==6.0.4 → ==6.0.5

---

Django has an Improper Handling of Length Parameter Inconsistency

CVE-2026-5766 / GHSA-w26r-rmm8-9c29

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Kyle Agronick for reporting this issue.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-5766
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-w26r-rmm8-9c29

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Django Uses Persistent Cookies Containing Sensitive Information

CVE-2026-35192 / GHSA-7h2m-m8vj-598h

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Cantina for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-35192
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-7h2m-m8vj-598h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Django Uses Cache Containing Sensitive Information

CVE-2026-6907 / GHSA-5hrc-gvxj-w55p

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ('*'). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Ahmad Sadeddin for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-6907
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-5hrc-gvxj-w55p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

django/django (django)

v6.0.5

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.