NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-35192

Summary	An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
Publication Date	May 6, 2026, 1:16 a.m.
Registration Date	May 6, 2026, 4:07 a.m.
Last Update	May 6, 2026, 1:16 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://docs.djangoproject.com/en/dev/releases/security/	6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
2	https://groups.google.com/g/django-announce	6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
3	https://www.djangoproject.com/weblog/2026/may/05/security-releases/	6a34fbeb-21d4-45e7-8e0a-62b95bc12c92

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-539	重要情報を含む永続 Cookie の使用	https://cwe.mitre.org/data/definitions/539.html