cbcvebase.
CVE-2026-4292
published 2026-04-07

CVE-2026-4292: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly…

PriorityP412low2.7CVSS 3.1
AVNACLPRHUINSUCNILAN
EPSS
0.29%
21.1th percentile
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 3:4.2.30-1 (sid)python-django 3:4.2.30-1 (sid)
djangoprojectdjango>= 4.2 < 4.2.304.2.30
djangoprojectdjango>= 4.2 < 4.2.304.2.30
djangoprojectdjango>= 5.2 < 5.2.135.2.13
djangoprojectdjango>= 5.2 < 5.2.135.2.13
djangoprojectdjango>= 6.0 < 6.0.46.0.4
djangoprojectdjango>= 6.0 < 6.0.46.0.4

CVSS provenance

nvdv3.12.7LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
osv6.5MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian2.7LOW
vendor_redhat2.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.