deps: update dependency django to v5.2.14 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
django (changelog)	5.2.13 → 5.2.14

---

Django Uses Persistent Cookies Containing Sensitive Information

CVE-2026-35192 / GHSA-7h2m-m8vj-598h

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Cantina for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-35192
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-7h2m-m8vj-598h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Django has an Improper Handling of Length Parameter Inconsistency

CVE-2026-5766 / GHSA-w26r-rmm8-9c29

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Kyle Agronick for reporting this issue.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-5766
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-w26r-rmm8-9c29

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Django Uses Cache Containing Sensitive Information

CVE-2026-6907 / GHSA-5hrc-gvxj-w55p

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ('*'). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Ahmad Sadeddin for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-6907
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-5hrc-gvxj-w55p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

django/django (django)

v5.2.14

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.38%. Comparing base (1c32dcf) to head (d900a61).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #223   +/-   ##
=======================================
  Coverage   97.38%   97.38%           
=======================================
  Files         105      105           
  Lines        4586     4586           
=======================================
  Hits         4466     4466           
  Misses        120      120           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.