Django carries two medium-severity findings this period: CVE-2026-3902 (CVSS 6.5), an ASGI-specific header spoofing vulnerability that can enable authentication bypass via underscore/hyphen header conflation, and CVE-2026-33034 (CVSS 5.3), a WSGI-mode DoS flaw allowing bypass of DATA_UPLOAD_MAX_MEMORY_SIZE via Content-Length manipulation. Neither is in CISA KEV and both have low EPSS scores, but both are exploitable by unauthenticated attackers, making them meaningful risks for internet-facing Django applications. Recommended actions are to patch both CVEs once affected version ranges are confirmed via NVD and Django security advisories, implement proxy-layer header stripping for underscore-formatted headers as an interim control for CVE-2026-3902, and enforce Content-Length limits at the reverse proxy layer for CVE-2026-33034.