Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Django Missing Authorization Vulnerability (CVE-2026-4292)

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Remediation

References

Related Vulnerabilities

b2evolution Other Vulnerability (CVE-2006-6417)

MySQL CVE-2018-2759 Vulnerability (CVE-2018-2759)

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-1590)

IBM RTC Cross-site Scripting (XSS) Vulnerability (CVE-2020-4733)

WordPress Plugin Debug Bar Unspecified Vulnerability (0.8)

Severity

Low

Classification

CVE-2026-4292 CWE-862 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities