HeroDevs
Visit NES for Django Home Page

NES for Django 3.2.x Release Notes

3 versions

Comprehensive release notes and changelog for NES for Django 3.2.x, including security patches, bug fixes, and feature updates across all supported versions.

Apr 29, 2026
Latest: 3.2.27
15 Patched Vulnerabilities
VEX Statements

April 2026

3.2.27

Released Apr 29, 2026
CVE-2026-4292
CVE-2025-13473
CVE-2026-4277
CVE-2026-1207
CVE-2026-25674
10 More
Full Version: 
3.2.27

Notes

  • Full Version: nes/django@3.2.27

Security Fixes

  • contrib:
    • admin: Privilege abuse in ModelAdmin.list_editable.
      • This fixes a low-severity Privilege abuse in ModelAdmin.list_editable. vulnerability CVE-2026-4292.
    • auth: Username enumeration through timing difference in mod_wsgi Authentication handler.
      • This fixes a low-severity Authentication vulnerability CVE-2025-13473.
    • contenttypes: Privilege abuse in GenericInlineModelAdmin.
      • This fixes a low-severity Privilege abuse in ModelAdmin.list_editable. vulnerability (CVE-2026-4277).
    • gis: Potential SQL injection via raster lookups on PostGIS.
      • This fixes a high-severity SQL injection vulnerability CVE-2026-1207.
  • core/cache: Potential incorrect permissions on newly created file system objects.
    • This fixes a low-severity Broken Access Control vulnerability CVE-2026-25674.
  • core/handlers:
    • Potential denial-of-service vulnerability via repeated headers when using ASGI.
      • This fixes a medium-severity denial-of-service (DoS) vulnerability CVE-2025-14550.
    • ASGI header spoofing via underscore/hyphen conflation.
      • This fixes a medium-severity Authentication vulnerability CVE-2026-3902.
  • db/models:
    • Potential SQL injection via QuerySet.order_by and FilteredRelation.
      • This fixes a high-severity SQL injection vulnerability CVE-2026-1312.
    • Potential SQL injection in column aliases via control characters.
      • This fixes a high-severity SQL injection vulnerability CVE-2026-1287.
  • files/storage: Potential incorrect permissions on newly created file system objects.
    • This fixes a low-severity Broken Access Control vulnerability CVE-2026-25674.
  • forms: Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows.
    • This fixes a medium-severity denial-of-service (DoS) vulnerability CVE-2026-25673.
  • http:
    • multipartparser: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
      • This fixes a medium-severity Denial of Service (DoS) vulnerability CVE-2026-33033.
    • request: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass.
      • This fixes a high-severity Denial of Service (DoS) vulnerability CVE-2026-33034.
  • utils:
    • Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods.
      • This fixes a medium-severity denial-of-service (DoS) vulnerability CVE-2026-1285.
    • Potential incorrect permissions on newly created file system objects.
      • This fixes a low-severity Broken Access Control vulnerability CVE-2026-25674.

January 2026

3.2.26

Released Jan 9, 2026

Notes

  • Full package name and version:
    • nes/django@3.2.26

Security Fixes

  • db/models: Prevented SQL injections in Q/QuerySet via the _connector kwarg.

December 2025

3.2.25+trial

Released Dec 16, 2025

Notes

  • This release contains no functional change from the OSS Django v3.2.25.
  • This release mainlines OSS v3.2.25 into NES v3.2.25+trial.
  • Full package name and version:
    • nes/django@3.2.25+trial

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.