Django carries two medium-severity CVEs (both CVSS 5.3) this period: CVE-2026-33034 allows resource exhaustion via Content-Length bypass in the WSGI stack, and CVE-2026-3902 enables header spoofing via underscore/hyphen conflation in the ASGI stack, with two related CVEs (CVE-2026-4277 and CVE-2026-4292) disclosed in the same coordinated release. Neither CVE has CISA KEV status or active exploitation confirmed, but CVE-2026-3902 carries meaningful risk for applications that make trust decisions on headers such as X-Forwarded-For or X-Real-IP. Affected version ranges are unconfirmed from primary sources for both CVEs; operators should verify via the official Django security advisory and OSV records GHSA-933h-hp56-hf7m and GHSA-mvfq-ggxm-9mc5 before applying patches, and implement reverse proxy-layer header and body size controls as interim mitigations.