Django carries two medium-severity vulnerabilities this period: CVE-2026-3902 (CVSS 6.5) enables HTTP header spoofing via underscore/hyphen conflation in ASGI request handling, risking bypass of header-dependent authentication and access controls; CVE-2026-33034 (CVSS 5.3) allows memory exhaustion via DATA_UPLOAD_MAX_MEMORY_SIZE bypass through missing or understated Content-Length headers in WSGI mode. Neither vulnerability is CISA KEV-listed, and EPSS scores are low, indicating no confirmed active exploitation at this time. Recommended actions: upgrade Django 6.0.x to 6.0.4 for CVE-2026-3902, monitor the Django security release page for the CVE-2026-33034 patch, and enforce Content-Length validation and header normalization at reverse proxy layers as interim compensating controls.