The Django team has released Django 6.0.5 and 5.2.14 to address critical security vulnerabilities. These releases address three security issues that users are advised to remediate quickly. The first vulnerability, CVE-2026-5766, could lead to a denial-of-service attack through a bypass of the file upload size limits in ASGI requests. This occurs when the Content-Length header is missing or incorrect, potentially allowing large files to consume excessive memory. The second vulnerability, CVE-2026-35192, involves session fixation via cached pages if SESSION_SAVE_EVERY_REQUEST is enabled, posing a risk of session theft. The third security issue, CVE-2026-6907, reveals potential data exposure due to the incorrect handling of the Vary: * header in UpdateCacheMiddleware. Patches for these issues have been implemented in the main, 6.0, and 5.2 branches. These issues were classified as "low" severity according to Django's security policy. Upgrades are recommended for the 6.0 and 5.2 versions. The release includes specific links to the patches, as well as the tarballs and checksums for the new versions. The reporting of security issues should always be done privately via email to [email protected].