Two medium-severity Django vulnerabilities (both CVSS 5.3, priority 0.159) affect WSGI and ASGI deployments respectively: CVE-2026-33034 allows bypass of the DATA_UPLOAD_MAX_MEMORY_SIZE limit via missing or understated Content-Length headers, enabling resource exhaustion (CWE-770); CVE-2026-3902 enables header spoofing via underscore/hyphen conflation in ASGI, potentially bypassing IP-based access controls or authentication middleware (CWE-20, CWE-116). Neither is listed in CISA KEV and neither has confirmed active exploitation, but CVE-2026-3902 poses meaningful risk to any ASGI deployment using header-dependent security controls. Both are resolved by upgrading to Django 6.0 (CVE-2026-33034) and Django 6.0.4 / 5.2 (CVE-2026-3902); exact lower-bound affected version ranges should be confirmed against NVD and official Django security release notes before scoping patch efforts.