CVE-2026-1285 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2026-1285 Interim 1 1 2026-03-05T00:19:34Z current 2026-03-05T00:19:34Z 2026-03-05T00:19:34Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2026-1285 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2026-February/024108.html E-Mail link for SUSE-SU-2026:0440-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Package Hub 15 SP7 SUSE Package Hub 15 SP6 openSUSE Leap 15.6 openSUSE Leap 16.0 openSUSE Tumbleweed python3-Django-2.2.28-bp156.30.1 python311-Django-4.2.11-150600.3.47.1 python311-Django-5.2.11-1.1 python311-Django4-4.2.28-1.1 python312-Django-5.2.11-1.1 python312-Django4-4.2.28-1.1 python312-Django6-6.0.2-1.1 python313-Django-5.2.11-1.1 python313-Django-5.2.4-bp160.5.1 python313-Django4-4.2.28-1.1 python313-Django6-6.0.2-1.1 python311-Django-4.2.11-150600.3.47.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python3-Django-2.2.28-bp156.30.1 as a component of SUSE Package Hub 15 SP6 python3-Django-2.2.28-bp156.30.1 as a component of openSUSE Leap 15.6 python311-Django-4.2.11-150600.3.47.1 as a component of openSUSE Leap 15.6 python313-Django-5.2.4-bp160.5.1 as a component of openSUSE Leap 16.0 python311-Django-5.2.11-1.1 as a component of openSUSE Tumbleweed python311-Django4-4.2.28-1.1 as a component of openSUSE Tumbleweed python312-Django-5.2.11-1.1 as a component of openSUSE Tumbleweed python312-Django4-4.2.28-1.1 as a component of openSUSE Tumbleweed python312-Django6-6.0.2-1.1 as a component of openSUSE Tumbleweed python313-Django-5.2.11-1.1 as a component of openSUSE Tumbleweed python313-Django4-4.2.28-1.1 as a component of openSUSE Tumbleweed python313-Django6-6.0.2-1.1 as a component of openSUSE Tumbleweed An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. CVE-2026-1285 SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.47.1 SUSE Package Hub 15 SP6:python3-Django-2.2.28-bp156.30.1 openSUSE Leap 15.6:python3-Django-2.2.28-bp156.30.1 openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.47.1 openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1 openSUSE Tumbleweed:python311-Django-5.2.11-1.1 openSUSE Tumbleweed:python311-Django4-4.2.28-1.1 openSUSE Tumbleweed:python312-Django-5.2.11-1.1 openSUSE Tumbleweed:python312-Django4-4.2.28-1.1 openSUSE Tumbleweed:python312-Django6-6.0.2-1.1 openSUSE Tumbleweed:python313-Django-5.2.11-1.1 openSUSE Tumbleweed:python313-Django4-4.2.28-1.1 openSUSE Tumbleweed:python313-Django6-6.0.2-1.1 important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H