CVE-2026-25673: Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows¶

The URLField form field's to_python() method used urlsplit() to determine whether to prepend a URL scheme to the submitted value. On Windows, urlsplit() performs NFKC normalization, which can be disproportionately slow for large inputs containing certain characters.

URLField.to_python() now uses a simplified scheme detection, avoiding Unicode normalization entirely and deferring URL validation to the appropriate layers. As a result, while leading and trailing whitespace is still stripped by default, characters such as newlines, tabs, and other control characters within the value are no longer handled by URLField.to_python(). When using the default URLValidator, these values will continue to raise ValidationError during validation, but if you rely on custom validators, ensure they do not depend on the previous behavior of URLField.to_python().

This issue has severity "moderate" according to the Django security policy.

CVE-2026-25674: Potential incorrect permissions on newly created file system objects¶

Django's file-system storage and file-based cache backends used the process umask to control permissions when creating directories. In multi-threaded environments, one thread's temporary umask change can affect other threads' file and directory creation, resulting in file system objects being created with unintended permissions.

Django now applies the requested permissions via chmod() after mkdir(), removing the dependency on the process-wide umask.

根据 Django 安全政策，这个问题的严重性为“低”。

漏洞修复¶

• Fixed NameError when inspecting functions making use of deferred annotations in Python 3.14 (#36903).