cbcvebase.
CVE-2026-5766
published 2026-05-05

CVE-2026-5766: An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the…

PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.42%
33.9th percentile
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-24lightspeed-rhel8
ansible-automation-platform-25lightspeed-rhel8
ansible-automation-platform-26controller-rhel9
ansible-automation-platform-26eda-controller-rhel9
ansible-automation-platform-26gateway-rhel9
ansible-automation-platform-26hub-rhel9
ansible-automation-platform-26lightspeed-rhel9
ansible-automation-platform-27aap-cloud-billing-rhel9
ansible-automation-platform-27controller-rhel9
ansible-automation-platform-27eda-controller-rhel9
ansible-automation-platform-27gateway-rhel9
ansible-automation-platform-27hub-rhel9
ansible-automation-platform-27lightspeed-rhel9
ansible-automation-platform-27metrics-service-rhel9
ansible-automation-platform-tech-previewmetrics-service-rhel9
ansible-automation-platformautomation-dashboard-rhel9
debianpython-django
discoverydiscovery-server-rhel9
djangoprojectdjango>= 5.2 < 5.2.145.2.14
djangoprojectdjango>= 5.2 < 5.2.145.2.14
djangoprojectdjango>= 6.0 < 6.0.56.0.5
djangoprojectdjango>= 6.0 < 6.0.56.0.5
satellite-capsule_el8python-django
satelliteiop-advisor-backend-rhel9
satellite_el8python-django

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.3MEDIUM
vendor_ubuntu2.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.