cbcvebase.
CVE-2026-35192
published 2026-05-05

CVE-2026-35192: An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but…

PriorityP336medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.54%
41.5th percentile
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-24lightspeed-rhel8
ansible-automation-platform-25lightspeed-rhel8
ansible-automation-platform-26controller-rhel9
ansible-automation-platform-26eda-controller-rhel9
ansible-automation-platform-26gateway-rhel9
ansible-automation-platform-26hub-rhel9
ansible-automation-platform-26lightspeed-rhel9
ansible-automation-platform-27aap-cloud-billing-rhel9
ansible-automation-platform-27controller-rhel9
ansible-automation-platform-27eda-controller-rhel9
ansible-automation-platform-27gateway-rhel9
ansible-automation-platform-27hub-rhel9
ansible-automation-platform-27lightspeed-rhel9
ansible-automation-platform-27metrics-service-rhel9
ansible-automation-platform-tech-previewmetrics-service-rhel9
ansible-automation-platformautomation-dashboard-rhel9
debianpython-django
discoverydiscovery-server-rhel9
djangoprojectdjango>= 5.2 < 5.2.145.2.14
djangoprojectdjango>= 5.2 < 5.2.145.2.14
djangoprojectdjango>= 6.0 < 6.0.56.0.5
djangoprojectdjango>= 6.0 < 6.0.56.0.5
satellite-capsule_el8python-django
satelliteiop-advisor-backend-rhel9
satellite_el8python-django

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
vendor_ubuntu2.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.