CVE-2026-1285 is a vulnerability identified in the Django web framework affecting versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The flaw exists in the implementation of the Truncator utility, specifically in the chars() and words() methods when the html parameter is set to true, as well as in the corresponding template filters truncatechars_html and truncatewords_html. These functions are designed to truncate text while preserving HTML structure. However, when processing inputs containing a large number of unmatched HTML end tags, the underlying algorithm exhibits inefficient complexity, causing excessive CPU and memory consumption. This inefficiency can be exploited by a remote attacker to trigger a denial-of-service condition by sending specially crafted inputs that force the server to spend excessive time parsing and truncating the malformed HTML. The vulnerability does not affect confidentiality or integrity but impacts availability by potentially exhausting server resources. No authentication or user interaction is required to exploit this issue, increasing its risk. Earlier unsupported Django versions such as 5.0.x, 4.1.x, and 3.2.x may also be vulnerable but were not formally evaluated. The vulnerability was responsibly disclosed by Seokchan Yoon and assigned CVE-2026-1285 with a CVSS v3.1 score of 7.5 (high severity).

The primary impact of CVE-2026-1285 is a denial-of-service condition caused by resource exhaustion on servers running vulnerable Django versions. Organizations hosting web applications that rely on the affected Truncator methods or template filters with html=True are at risk of service disruption if attackers send crafted inputs containing numerous unmatched HTML end tags. This can lead to increased CPU usage, memory consumption, and potentially crash or severely degrade the responsiveness of the web application. Since Django is a popular web framework used worldwide across various industries, the scope of affected systems is broad. The vulnerability does not compromise data confidentiality or integrity but can cause significant availability issues, impacting user experience, business operations, and potentially leading to financial losses or reputational damage. The ease of exploitation without authentication or user interaction further elevates the threat, making automated attacks feasible. Organizations with high-traffic web services or those exposed to untrusted user input are particularly vulnerable.

To mitigate CVE-2026-1285, organizations should promptly upgrade Django to the fixed versions: 6.0.2 or later, 5.2.11 or later, and 4.2.28 or later. If immediate upgrading is not feasible, consider implementing input validation or sanitization to limit or reject inputs with excessive unmatched HTML tags before they reach the vulnerable truncation functions. Web application firewalls (WAFs) can be configured to detect and block suspicious payloads containing abnormal HTML tag patterns. Additionally, monitoring application performance and resource usage can help detect potential exploitation attempts early. Developers should audit their codebase for any custom usage of Truncator.chars() or Truncator.words() with html=True and avoid processing untrusted HTML content with these functions. Finally, ensure that all web-facing services using Django are behind rate limiting and other standard DoS protections to reduce the risk of large-scale exploitation.