Update dependency django to v6.0.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
django (changelog)	==6.0.4 → ==6.0.5

---

Django has an Improper Handling of Length Parameter Inconsistency

CVE-2026-5766 / GHSA-w26r-rmm8-9c29

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Kyle Agronick for reporting this issue.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-5766
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-w26r-rmm8-9c29

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Django Uses Persistent Cookies Containing Sensitive Information

CVE-2026-35192 / GHSA-7h2m-m8vj-598h

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Cantina for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-35192
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-7h2m-m8vj-598h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Django Uses Cache Containing Sensitive Information

CVE-2026-6907 / GHSA-5hrc-gvxj-w55p

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ('*'). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Ahmad Sadeddin for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-6907
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-5hrc-gvxj-w55p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

django/django (django)

v6.0.5

Compare Source

---

Configuration

📅 Schedule: (in timezone Europe/Budapest)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.37%. Comparing base (eeee4c9) to head (f80069f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1662   +/-   ##
=======================================
  Coverage   93.37%   93.37%           
=======================================
  Files          76       76           
  Lines        2386     2386           
  Branches      183      183           
=======================================
  Hits         2228     2228           
  Misses        132      132           
  Partials       26       26           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.