Django carries two vulnerabilities this period: CVE-2026-3902 (CVSS 7.5, ASGI header spoofing via underscore/hyphen conflation — CWE-290) and CVE-2026-33034 (CVSS 5.3, WSGI upload memory limit bypass via missing or understated Content-Length — CWE-20/CWE-400). CVE-2026-3902 is the higher-priority item for organizations using ASGI deployments where headers drive authentication or access control decisions; affected version ranges are not yet confirmed as of 2026-03-04 and should be verified against the Django security blog and GHSA-mvfq-ggxm-9mc5. Neither CVE has confirmed active exploitation; both warrant patching within normal SLA cadence, with interim reverse proxy header normalization as a compensating control for CVE-2026-3902.