CVE-2026-4292

NameCVE-2026-4292
DescriptionAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1132927

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)bullseye2:2.2.28-1~deb11u2vulnerable
bullseye (security)2:2.2.28-1~deb11u12vulnerable
bookworm3:3.2.19-1+deb12u1vulnerable
bookworm (security)3:3.2.25-0+deb12u2vulnerable
trixie (security), trixie3:4.2.28-0+deb13u1vulnerable
forky, sid3:4.2.30-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)3:4.2.30-11132927

Notes

[trixie] - python-django <no-dsa> (Minor issue)
[bookworm] - python-django <no-dsa> (Minor issue)
https://www.djangoproject.com/weblog/2026/apr/07/security-releases/
Fixed by: https://github.com/django/django/commit/abfe1a1c57a57cfaf6dd4a0571c029401a0fe743 (4.2.30)
Search for package or bug name: Reporting problems