CVE-2026-25673: Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows¶

The URLField form field's to_python() method used urlsplit() to determine whether to prepend a URL scheme to the submitted value. On Windows, urlsplit() performs NFKC normalization, which can be disproportionately slow for large inputs containing certain characters.

URLField.to_python() now uses a simplified scheme detection, avoiding Unicode normalization entirely and deferring URL validation to the appropriate layers. As a result, while leading and trailing whitespace is still stripped by default, characters such as newlines, tabs, and other control characters within the value are no longer handled by URLField.to_python(). When using the default URLValidator, these values will continue to raise ValidationError during validation, but if you rely on custom validators, ensure they do not depend on the previous behavior of URLField.to_python().

This issue has severity "moderate" according to the Django security policy.

CVE-2026-25674: Potential incorrect permissions on newly created file system objects¶

Django's file-system storage and file-based cache backends used the process umask to control permissions when creating directories. In multi-threaded environments, one thread's temporary umask change can affect other threads' file and directory creation, resulting in file system objects being created with unintended permissions.

Django now applies the requested permissions via chmod() after mkdir(), removing the dependency on the process-wide umask.

根据 Django 安全政策，这个问题的严重性为“低”。

漏洞修复¶

• Fixed NameError when inspecting functions making use of deferred annotations in Python 3.14 (#36903).

• Fixed AttributeError when subclassing builtin lookups and neglecting to override as_sql() to accept any sequence (#36934).

• Fixed TypeError when deprecation warnings are emitted in environments importing Django by namespace (#36961).

• Fixed a visual regression where fieldset legends were misaligned in the admin (#36920).

• Prevented the django.tasks.signals.task_finished signal from writing extraneous log messages when no exceptions are encountered (#36951).