Django 5.2.16 release notes

July 7, 2026

Django 5.2.16 fixes three security issues with severity “low” in 5.2.15.

CVE-2026-53877: Heap buffer over-read in GDALRaster

When GDALRaster was instantiated with a bytes object representing a raster file, the vsi_buffer property could over-read the allocated buffer by approximately 32 bytes. This could result in information disclosure of adjacent heap memory or, in rare cases, a segmentation fault. Only rasters stored in GDAL’s virtual filesystem were affected.

This issue has severity “low” according to the Django security policy.

CVE-2026-53878: Header injection possibility since DomainNameValidator accepted newlines in input

DomainNameValidator accepted newlines in domain names. If such values were included in HTTP responses, header injection attacks were possible. Django itself wasn’t vulnerable because HttpResponse prohibits newlines in HTTP headers.

The vulnerability only affected uses of DomainNameValidator outside Django form fields, as CharField strips newlines by default.

This issue has severity “low” according to the Django security policy.