{"id":"MGASA-2026-0093","summary":"Updated python-django packages fix security vulnerabilities","details":"ASGI header spoofing via underscore/hyphen conflation. (CVE-2026-3902)\nPrivilege abuse in ``GenericInlineModelAdmin``. (CVE-2026-4277)\nPrivilege abuse in ``ModelAdmin.list_editable``. (CVE-2026-4292)\nPotential denial-of-service vulnerability in ``MultiPartParser`` via\nbase64-encoded file upload. (CVE-2026-33033)\nPotential denial-of-service vulnerability in ASGI requests via memory\nupload limit bypass. (CVE-2026-33034)\n","modified":"2026-04-16T00:12:31.789082461Z","published":"2026-04-11T23:02:03Z","upstream":["CVE-2026-33033","CVE-2026-33034","CVE-2026-3902","CVE-2026-4277","CVE-2026-4292"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2026-0093.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=35330"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/07/10"}],"affected":[{"package":{"name":"python-django","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/python-django?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.13-1.12.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2026-0093.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}