CVE-2026-6873

Severity CVSS v4.0:
LOW
Type:
Unavailable / Other
Publication date:
03/06/2026
Last modified:
05/06/2026

Description

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.<br /> `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation.<br /> Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.<br /> Django would like to thank Peng Zhou for reporting this issue.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* 5.2 (including) 5.2.15 (excluding)
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* 6.0 (including) 6.0.6 (excluding)