CVE-2026-7666

Severity CVSS v4.0:
LOW
Type:
CWE-319 Cleartext Transmission of Sensitive Information
Publication date:
03/06/2026
Last modified:
05/06/2026

Description

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.<br /> `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.<br /> Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.<br /> Django would like to thank Kasper Dupont for reporting this issue.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* 5.2 (including) 5.2.15 (excluding)
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* 6.0 (including) 6.0.6 (excluding)