| Blog Info | The Django weblog |
|---|---|
| Blog website | Link |
Sept. 21, 2025 » The Django weblog » [Archived Version]
Hello Djangonauts, At the end of this month, I'll be stepping away from my role as Django Fellow for some time while I'm on maternity leave. During this period, I don't anticipate being active on Trac, in PR reviews, on the Forum, or on Discord. I would appreciate folks giving me space to settle in with my new baby. Django will be well looked after by our Fellows, Natalia Bidart and Jacob Walls, who will continue supporting the project and community while I'm away. I'm grateful to be part of su…
Read MoreSept. 3, 2025 » The Django weblog » [Archived Version]
In accordance with our security release policy, the Django team is issuing releases for Django 5.2.6, Django 5.1.12, and Django 4.2.24. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.an…
Read MoreJune 10, 2025 » The Django weblog » [Archived Version]
Following the June 4, 2025 security release, the Django team is issuing releases for Django 5.2.3, Django 5.1.11, and Django 4.2.23 to complete mitigation for CVE-2025-48432: Potential log injection via unescaped request path (full description). These follow-up releases migrate remaining response logging paths to a safer logging implementation, ensuring that all untrusted input is properly escaped before being written to logs. This update does not introduce a new CVE but strengthens the origina…
Read MoreApril 2, 2025 » The Django weblog » [Archived Version]
The Django team is happy to announce the release of Django 5.2. The release notes showcase a composite of new features. A few highlights are: All models are automatically imported in the shell by default. Django now supports composite primary keys! The new django.db.models.CompositePrimaryKey allows tables to be created with a primary key consisting of multiple fields. Overriding a BoundField got a lot easier: this can now be set on a form, field or project level. You can get Django 5.2 from …
Read MoreApril 2, 2025 » The Django weblog » [Archived Version]
In accordance with our security release policy, the Django team is issuing releases for Django 5.1.8 and Django 5.0.14. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2025-27556: Potential denial-of-service vulnerability in LoginView, LogoutView, and set_language() on Windows Python's NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView,…
Read MoreMarch 19, 2025 » The Django weblog » [Archived Version]
Django 5.2 release candidate 1 is the final opportunity for you to try out a composite of new features before Django 5.2 is released. The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, Django 5.2 will be released on or around April 2. Any delays will be communicated on the on the Django forum. Please use this opportunity to help find and fix bugs (which should…
Read MoreMarch 6, 2025 » The Django weblog » [Archived Version]
In accordance with our security release policy, the Django team is issuing releases for Django 5.1.7, Django 5.0.13 and Django 4.2.20. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2025-26699: Potential denial-of-service in django.utils.text.wrap() The django.utils.text.wrap() and wordwrap template filter were subject to a potential denial-of-service attack when used with very long strings. Thanks to sw0rd1ight f…
Read MoreFeb. 19, 2025 » The Django weblog » [Archived Version]
Django 5.2 beta 1 is now available. It represents the second stage in the 5.2 release cycle and is an opportunity for you to try out the changes coming in Django 5.2. Django 5.2 brings a composite of new features which you can read about in the in-development 5.2 release notes. Only bugs in new features and regressions from earlier versions of Django will be fixed between now and the 5.2 final release. Translations will be updated following the "string freeze", which occurs when the release can…
Read MoreJan. 16, 2025 » The Django weblog » [Archived Version]
Django 5.2 alpha 1 is now available. It represents the first stage in the 5.2 release cycle and is an opportunity for you to try out the changes coming in Django 5.2. Django 5.2 brings a composite of new features which you can read about in the in-development 5.2 release notes. This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get ea…
Read MoreDec. 4, 2024 » The Django weblog » [Archived Version]
In accordance with our security release policy, the Django team is issuing releases for Django 5.1.4, Django 5.0.10, and Django 4.2.17. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2024-53907: Potential denial-of-service in django.utils.html.strip_tags() The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of neste…
Read More