CVE-2026-1285

Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods

Assigner: DSF
Reserved: 21.01.2026 Published: 03.02.2026 Updated: 03.02.2026

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Product Status

Vendor	djangoproject
Product	Django
Versions	Default: unaffected affected from 6.0 to 6.0.2 (excl.) Version 6.0.2 is unaffected affected from 5.2 to 5.2.11 (excl.) Version 5.2.11 is unaffected affected from 4.2 to 4.2.28 (excl.) Version 4.2.28 is unaffected

Vendor

djangoproject

Product

Django

Versions

Default: unaffected

affected from 6.0 to 6.0.2 (excl.)
Version 6.0.2 is unaffected
affected from 5.2 to 5.2.11 (excl.)
Version 5.2.11 is unaffected
affected from 4.2 to 4.2.28 (excl.)
Version 4.2.28 is unaffected

Credits

Seokchan Yoon reporter
Natalia Bidart remediation developer
Jacob Walls coordinator

References

Problem Types

CWE-407: Inefficient Algorithmic Complexity CWE

Impacts