CVE-2026-7666
3.1 LOWAn issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15
Published: 2026-06-03 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 3.1 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
- CWE
- CWE-319
Affected products
| Vendor | Product |
|---|---|
| djangoproject | django |
Description
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-8404 — An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
- CVE-2026-6873 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)
- CVE-2026-48587 — An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
- CVE-2026-35193 — An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
Same CWE
- CVE-2026-9741 — A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryp... (6.5 MEDIUM)
- CVE-2026-45432 — This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management...
- CVE-2026-8874 — Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted ... (7.1 HIGH)
- CVE-2026-36610 — Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding (5.9 MEDIUM)
- CVE-2023-52951 — A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle... (5.9 MEDIUM)