fix(deps): update dependency django to v6.0.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
django (changelog)	==6.0.4 → ==6.0.5

---

Django has an Improper Handling of Length Parameter Inconsistency

CVE-2026-5766 / GHSA-w26r-rmm8-9c29

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Kyle Agronick for reporting this issue.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-5766
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-w26r-rmm8-9c29

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Django Uses Persistent Cookies Containing Sensitive Information

CVE-2026-35192 / GHSA-7h2m-m8vj-598h

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Cantina for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-35192
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-7h2m-m8vj-598h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Django Uses Cache Containing Sensitive Information

CVE-2026-6907 / GHSA-5hrc-gvxj-w55p

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ('*'). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Ahmad Sadeddin for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-6907
• https://docs.djangoproject.com/en/dev/releases/security
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/may/05/security-releases
• https://github.com/advisories/GHSA-5hrc-gvxj-w55p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

django/django (django)

v6.0.5

Compare Source

---

Configuration

📅 Schedule: (in timezone America/Toronto)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: uv.lock

Command failed: uv lock --upgrade-package django
Using CPython 3.14.4 interpreter at: /opt/containerbase/tools/python/3.14.4/bin/python3.14
  × No solution found when resolving dependencies for split (markers:
  │ python_full_version == '3.14.4' and sys_platform == 'win32'):
  ╰─▶ Because there is no version of django==6.0.5 and your project depends
      on django==6.0.5, we can conclude that your project's requirements are
      unsatisfiable.
      And because your project requires admin[prod], we can conclude that your
      project's requirements are unsatisfiable.

      hint: The resolution failed for an environment that is not the current
      one, consider limiting the environments with `tool.uv.environments`.

      hint: `django` was filtered by `exclude-newer` to only include packages
      uploaded before 2026-05-02T23:31:40.757954247Z. The requested version,
      v6.0.5, was published at 2026-05-05T13:54:33.532Z. Consider using
      `exclude-newer-package` to override the cutoff for this package.