CVE-2026-25673
Potential denial-of-service vulnerability in URLField via Unicode normalization on WindowsAn issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
We have discovered 67 live websites that are affected by CVE-2026-25673.
Affected Software
| Product |  Django |
| Category | Web Application Frameworks |
| Vulnerable Domains | 67 live websites (15% of Django install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 2 versions ( 40% of all versions) |
Common Weakness Enumeration
CWE-400 Uncontrolled Resource ConsumptionDetails
- Published - Mar 3, 2026
- Updated - Mar 3, 2026
Credits
- Seokchan Yoon (reporter)
- Natalia Bidart (remediation developer)
- Natalia Bidart (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-25673 United States | 1 websites |
 Russia | 63 websites |
 Germany | 3 websites |
Website Distribution by TLD
Number of websites using CVE-2026-25673| .ru | 63 websites |
| .com | 3 websites |
| .de | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-25673
Top websites that are affected by CVE-2026-25673. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.ru | Russia | ***,*** | |
| **********.com | Germany | *,***,*** | |
| ******.com | United States | *,***,*** | |
| ********.ru | Russia | *,***,*** | |
| ******.*****.ru | Russia | *,***,*** | |
| ******.*****.ru | Russia | *,***,*** | |
| **************.*****.ru | Russia | *,***,*** | |
| ***********.*****.ru | Russia | *,***,*** | |
| ***************.*****.ru | Russia | *,***,*** | |
| *******.*****.ru | Russia | *,***,*** |
FAQ
CVE-2026-25673 is Uncontrolled Resource Consumption in Django
A total of 67 websites have been identified as vulnerable to CVE-2026-25673, based on global website indexing conducted by WebTechSurvey.
The Django is affected by the CVE-2026-25673 vulnerability.
Django versions up to 6.0.3 are vulnerable to CVE-2026-25673.
CVE-2026-25673 is resolved in version 6.0.3 of Django.