Scheduled biweekly dependency update for week 07

[pyup-bot]

Update cryptography from 44.0.0 to 46.0.5.

Changelog

46.0.5

~~~~~~~~~~~~~~~~~~~

* An attacker could create a malicious public key that reveals portions of your
private key when using certain uncommon elliptic curves (binary curves).
This version now includes additional security checks to prevent this attack.
This issue only affects binary elliptic curves, which are rarely used in
real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
**CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
removed in the next release.

.. v46-0-4:

46.0.4

~~~~~~~~~~~~~~~~~~~

* `Dropped support for win_arm64 wheels`_.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3

~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 4.2.0.

.. _v46-0-2:

46.0.2

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4.

.. _v46-0-1:

46.0.1

~~~~~~~~~~~~~~~~~~~

* Fixed an issue where users installing via ``pip`` on Python 3.14 development
versions would not properly install a dependency.
* Fixed an issue building the free-threaded macOS 3.14 wheels.

.. _v46-0-0:

46.0.0

~~~~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.7 has been removed.
* Support for OpenSSL < 3.0 is deprecated and will be removed in the next
release.
* Support for ``x86_64`` macOS (including publishing wheels) is deprecated
and will be removed in two releases. We will switch to publishing an
``arm64`` only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is deprecated
and will be removed in two releases. Users should move to a 64-bit
Python installation.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.3.
* We now build ``ppc64le`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``win_arm64`` (Windows on Arm) wheels and publish them to PyPI.
* Added support for free-threaded Python 3.14.
* Removed the deprecated ``get_attribute_for_oid`` method on
:class:`~cryptography.x509.CertificateSigningRequest`. Users should use
:meth:`~cryptography.x509.Attributes.get_attribute_for_oid` instead.
* Removed the deprecated ``CAST5``, ``SEED``, ``IDEA``, and ``Blowfish``
classes from the cipher module. These are still available in
:doc:`/hazmat/decrepit/index`.
* In X.509, when performing a PSS signature with a SHA-3 hash, it is now
encoded with the official NIST SHA3 OID.

.. _v45-0-7:

45.0.7

~~~~~~~~~~~~~~~~~~~

* Added a function to support an upcoming ``pyOpenSSL`` release.

.. _v45-0-6:

45.0.6

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.2.

.. _v45-0-5:

45.0.5

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.1.

.. _v45-0-4:

45.0.4

~~~~~~~~~~~~~~~~~~~

* Fixed decrypting PKCS8 files encrypted with SHA1-RC4. (This is not
considered secure, and is supported only for backwards compatibility.)

.. _v45-0-3:

45.0.3

~~~~~~~~~~~~~~~~~~~

* Fixed decrypting PKCS8 files encrypted with long salts (this impacts keys
encrypted by Bouncy Castle).
* Fixed decrypting PKCS8 files encrypted with DES-CBC-MD5. While wildly
insecure, this remains prevalent.

.. _v45-0-2:

45.0.2

~~~~~~~~~~~~~~~~~~~

* Fixed using ``mypy`` with ``cryptography`` on older versions of Python.

.. _v45-0-1:

45.0.1

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.0.

.. _v45-0-0:

45.0.0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Support for Python 3.7 is deprecated and will be removed in the next
``cryptography`` release.
* Updated the minimum supported Rust version (MSRV) to 1.74.0, from 1.65.0.
* Added support for serialization of PKCS12 Java truststores in
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_java_truststore`
* Added :meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id.derive_phc_encoded` and
:meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id.verify_phc_encoded` methods
to support password hashing in the PHC string format
* Added support for PKCS7 decryption and encryption using AES-256 as the
content algorithm, in addition to AES-128.
* **BACKWARDS INCOMPATIBLE:** Made SSH private key loading more consistent with
other private key loading:
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
now raises a ``TypeError`` if the key is unencrypted but a password is
provided (previously no exception was raised), and raises a ``TypeError`` if
the key is encrypted but no password is provided (previously a ``ValueError``
was raised).
* Added ``__copy__`` to the
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`, and
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`
abstract base classes.
* We significantly refactored how private key loading (
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
and
:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`)
works. This is intended to be backwards compatible for all well-formed keys,
therefore if you discover a key that now raises an exception, please file a
bug with instructions for reproducing.
* Added ``unsafe_skip_rsa_key_validation`` keyword-argument to
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`.
* Added :class:`~cryptography.hazmat.primitives.hashes.XOFHash` to support
repeated :meth:`~cryptography.hazmat.primitives.hashes.XOFHash.squeeze`
operations on extendable output functions.
* Added
:meth:`~cryptography.x509.ocsp.OCSPResponseBuilder.add_response_by_hash`
method to allow creating OCSP responses using certificate hash values rather
than full certificates.
* Extended the :mod:`X.509 path validation <cryptography.x509.verification>` API to
support user-configured extension policies via the
:meth:`PolicyBuilder.extension_policies <cryptography.x509.verification.PolicyBuilder.extension_policies>` method.
* Deprecated the ``subject``, ``verification_time`` and ``max_chain_depth``
properties on :class:`~cryptography.x509.verification.ClientVerifier` and
:class:`~cryptography.x509.verification.ServerVerifier` in favor of a new ``policy`` property.
These properties will be removed in the next release of ``cryptography``.
* **BACKWARDS INCOMPATIBLE:** The
:meth:`VerifiedClient.subject <cryptography.x509.verification.VerifiedClient.subjects>`
property can now be `None` since a custom extension policy may allow certificates
without a Subject Alternative Name extension.
* Changed the behavior when the OpenSSL 3 legacy provider fails to load.
Instead of raising an exception, a warning is now emitted. The
``CRYPTOGRAPHY_OPENSSL_NO_LEGACY`` environment variable can still be used to
disable the legacy provider at runtime.
* Added support for the ``CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY`` environment
variable during build time, which prevents the library from ever attempting
to load the legacy provider.
* Added support for the :class:`~cryptography.x509.PrivateKeyUsagePeriod` X.509 extension.
This extension defines the period during which the private key corresponding
to the certificate's public key may be used.
* Added support for compiling against `aws-lc`_.
* Parsing X.509 structures now more strictly enforces that ``Name`` structures
do not have malformed ASN.1.
* We now publish ``py311`` wheels that utilize the faster ``pyo3::buffer::PyBuffer``
interface, resulting in significantly improved performance for operations
involving small buffers.
* Added :func:`~cryptography.hazmat.primitives.serialization.ssh_key_fingerprint`
for computing fingerprints of SSH public keys.
* Added support for deterministic ECDSA signing via the new keyword-only argument
``ecdsa_deterministic`` in :meth:`~cryptography.x509.CertificateBuilder.sign`,
:meth:`~cryptography.x509.CertificateRevocationListBuilder.sign`
and :meth:`~cryptography.x509.CertificateSigningRequestBuilder.sign`.

.. _v44-0-3:

44.0.3

~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 4.1.0.

.. _v44-0-2:

44.0.2

~~~~~~~~~~~~~~~~~~~

* We now build wheels for PyPy 3.11.

.. _v44-0-1:

44.0.1

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1.
* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``manylinux_2_34`` wheels and publish them to PyPI.

.. _v44-0-0:

Links

• PyPI: https://pypi.org/project/cryptography
• Changelog: https://data.safetycli.com/changelogs/cryptography/

Update Django from 4.2.13 to 6.0.2.

Changelog

6.0.2

==========================

*February 3, 2026*

Django 6.0.2 fixes three security issues with severity "high", two security
issues with severity "moderate", one security issue with severity "low", and
several bugs in 6.0.1.

CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler
=================================================================================================

The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for
:doc:`authentication via mod_wsgi</howto/deployment/wsgi/apache-auth>`
allowed remote attackers to enumerate users via a timing attack.

This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.

CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI
==============================================================================================

When receiving duplicates of a single header, ``ASGIRequest`` allowed a remote
attacker to cause a potential denial-of-service via a specifically created
request with multiple duplicate headers. The vulnerability resulted from
repeated string concatenation while combining repeated headers, which
produced super-linear computation resulting in service degradation or outage.

This issue has severity "moderate" according to the :ref:`Django security
policy <security-disclosure>`.

CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
====================================================================

:ref:`Raster lookups <spatial-lookup-raster>` on GIS fields (only implemented
on PostGIS) were subject to SQL injection if untrusted data was used as a band
index.

As a reminder, all untrusted user input should be validated before use.

This issue has severity "high" according to the :ref:`Django security policy
<security-disclosure>`.

CVE-2026-1285: Potential denial-of-service vulnerability in ``django.utils.text.Truncator`` HTML methods
========================================================================================================

``django.utils.text.Truncator.chars()`` and ``Truncator.words()`` methods (with
``html=True``) and the :tfilter:`truncatechars_html` and
:tfilter:`truncatewords_html` template filters were subject to a potential
denial-of-service attack via certain inputs with a large number of unmatched
HTML end tags, which could cause quadratic time complexity during HTML parsing.

This issue has severity "moderate" according to the :ref:`Django security
policy <security-disclosure>`.

CVE-2026-1287: Potential SQL injection in column aliases via control characters
===============================================================================

:class:`.FilteredRelation` was subject to SQL injection in column aliases via
control characters, using a suitably crafted dictionary, with dictionary
expansion, as the ``**kwargs`` passed to :meth:`.QuerySet.annotate`,
:meth:`~.QuerySet.aggregate`, :meth:`~.QuerySet.extra`,
:meth:`~.QuerySet.values`, :meth:`~.QuerySet.values_list`, and
:meth:`~.QuerySet.alias`.

This issue has severity "high" according to the :ref:`Django security policy
<security-disclosure>`.

CVE-2026-1312: Potential SQL injection via ``QuerySet.order_by`` and ``FilteredRelation``
=========================================================================================

:meth:`.QuerySet.order_by` was subject to SQL injection in column aliases
containing periods when the same alias was, using a suitably crafted
dictionary, with dictionary expansion, used in :class:`.FilteredRelation`.

This issue has severity "high" according to the :ref:`Django security policy
<security-disclosure>`.

Bugfixes
========

* Fixed a visual regression in Django 6.0 that caused the admin filter sidebar
to wrap below the changelist when filter elements contained long text
(:ticket:`36850`).

* Fixed a visual regression in Django 6.0 for admin form fields grouped under a
``<fieldset>`` aligned horizontally (:ticket:`36788`).

* Fixed a regression in Django 6.0 where ``auto_now_add`` field values were not
populated during ``INSERT`` operations, due to incorrect parameters passed to
``field.pre_save()`` (:ticket:`36847`).


==========================

6.0.1

==========================

*January 6, 2026*

Django 6.0.1 fixes one data loss bug introduced in Django 5.2 as well as
several other bugs in Django 6.0.

Bugfixes
========

* Fixed a bug in Django 5.2 where data exceeding ``max_length`` was silently
truncated by :meth:`.QuerySet.bulk_create` on PostgreSQL (:ticket:`33647`).

* Fixed a regression in Django 6.0 where :ttag:`querystring` mishandled
multi-value :class:`~django.http.QueryDict` keys, both by only preserving the
last value and by incorrectly handling ``None`` values (:ticket:`36783`).

* Fixed a regression in Django 6.0 that prevented changing the name of a
:class:`~django.db.models.ManyToManyField` from taking effect when applying
migrations (:ticket:`36800`).

* Fixed a bug where management command colorized help (introduced in
Python 3.14) ignored the :option:`--no-color` option and the
:envvar:`DJANGO_COLORS` setting (:ticket:`36376`).

* Fixed a regression in Django 6.0 that caused
:meth:`~django.db.models.query.QuerySet.bulk_create` to crash
when introspecting the connection on SQLite (:ticket:`36818`).

* Fixed a visual regression in Django 6.0 for admin form fields grouped under a
``<fieldset>`` in Safari (:ticket:`36807`).

* Fixed a crash in Django 6.0 caused by infinite recursion when calling
``repr()`` on an unevaluated ``django.utils.csp.LazyNonce`` instance
(:ticket:`36810`).

* Fixed a regression in Django 6.0 where :func:`~django.urls.path` routes
defined using :func:`~django.utils.translation.gettext_lazy` failed to
resolve correctly (:ticket:`36796`).

* Fixed a regression in Django 6.0 where the :attr:`.Widget.use_fieldset`
attribute of :class:`~django.forms.ClearableFileInput` was flipped
from ``False`` to ``True`` (:ticket:`36829`).

* Reverted an undocumented optimization in Django 6.0 that modified permission
:attr:`~django.contrib.auth.models.Permission.name` and
:attr:`~django.contrib.auth.models.Permission.codename` values when renaming
models via a migration. This change could affect unrelated
:class:`~django.contrib.auth.models.Permission` objects (:ticket:`36843`) and
did not report conflicts (:ticket:`36793`).


========================

6.0

========================

*December 3, 2025*

Welcome to Django 6.0!

These release notes cover the :ref:`new features <whats-new-6.0>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-6.0>` you
should be aware of when upgrading from Django 5.2 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-6.0>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Python compatibility
====================

Django 6.0 supports Python 3.12, 3.13, and 3.14. We **highly recommend**, and
only officially support, the latest release of each series.

The Django 5.2.x series is the last to support Python 3.10 and 3.11.

Third-party library support for older versions of Django
========================================================

Following the release of Django 6.0, we suggest that third-party app authors
drop support for all versions of Django prior to 5.2. At that time, you should
be able to run your package's tests using ``python -Wd`` so that deprecation
warnings appear. After making the deprecation warning fixes, your app should be
compatible with Django 6.0.

.. _whats-new-6.0:

What's new in Django 6.0
========================

Content Security Policy support
-------------------------------

Built-in support for the :ref:`Content Security Policy (CSP) <security-csp>`
standard is now available, making it easier to protect web applications against
content injection attacks such as cross-site scripting (XSS). CSP allows
declaring trusted sources of content by giving browsers strict rules about
which scripts, styles, images, or other resources can be loaded.

CSP policies can now be enforced or monitored directly using built-in tools:
headers are added via the
:class:`~django.middleware.csp.ContentSecurityPolicyMiddleware`, nonces are
supported through the :func:`~django.template.context_processors.csp` context
processor, and policies are configured using the :setting:`SECURE_CSP` and
:setting:`SECURE_CSP_REPORT_ONLY` settings.

These settings accept Python dictionaries and support Django-provided constants
for clarity and safety. For example::

 from django.utils.csp import CSP

 SECURE_CSP = {
     "default-src": [CSP.SELF],
     "script-src": [CSP.SELF, CSP.NONCE],
     "img-src": [CSP.SELF, "https:"],
 }

The resulting ``Content-Security-Policy`` header would be set to:

.. code-block:: text

 default-src 'self'; script-src 'self' 'nonce-SECRET'; img-src 'self' https:

To get started, follow the :doc:`CSP how-to guide </howto/csp>`. For in-depth
guidance, see the :ref:`CSP security overview <security-csp>` and the
:doc:`reference docs </ref/csp>`, which include details about decorators to
override or disable policies on a per-view basis.

Template Partials
-----------------

The :ref:`Django Template Language <template-language-intro>` now supports
:ref:`template partials <template-partials>`, making it easier to encapsulate
and reuse small named fragments within a template file. The new tags
:ttag:`{% partialdef %} <partialdef>` and :ttag:`{% partial %} <partial>`
define a partial and render it, respectively.

Partials can also be referenced using the ``template_namepartial_name`` syntax
with :func:`~django.template.Engine.get_template`,
:func:`~django.shortcuts.render`, :ttag:`{% include %}<include>`, and other
template-loading tools, enabling more modular and maintainable templates
without needing to split components into separate files.

A `migration guide`_ is available if you're updating from the
:pypi:`django-template-partials` third-party package.

.. _migration guide: https://github.com/carltongibson/django-template-partials/blob/main/Migration.md

Background Tasks
----------------

Django now includes a built-in Tasks framework for running code outside the
HTTP request–response cycle. This enables offloading work, such as sending
emails or processing data, to background workers.

The framework provides task definition, validation, queuing, and result
handling. Django guarantees consistent behavior for creating and managing
tasks, while the responsibility for running them continues to belong to
external worker processes.

Tasks are defined using the :func:`~django.tasks.task` decorator::

 from django.core.mail import send_mail
 from django.tasks import task


 task
 def email_users(emails, subject, message):
     return send_mail(subject, message, None, emails)

Once defined, tasks can be enqueued through a configured backend::

 email_users.enqueue(
     emails=["userexample.com"],
     subject="You have a message",
     message="Hello there!",
 )

Backends are configured via the :setting:`TASKS` setting. The :ref:`two
built-in backends <task-available-backends>` included in this release are
primarily intended for development and testing.

Django handles task creation and queuing, but does not provide a worker
mechanism to run tasks. Execution must be managed by external infrastructure,
such as a separate process or service.

See :doc:`/topics/tasks` for an overview and the :doc:`Tasks reference
</ref/tasks>` for API details.

Adoption of Python's modern email API
-------------------------------------

Email handling in Django now uses Python's modern email API, introduced in
Python 3.6. This API, centered around the
:class:`email.message.EmailMessage` class, offers a cleaner and
Unicode-friendly interface for composing and sending emails. It replaces use of
Python's older legacy (``Compat32``) API, which relied on lower-level MIME
classes (from :mod:`email.mime`) and required more manual handling of
message structure and encoding.

Notably, the return type of the :meth:`EmailMessage.message()
<django.core.mail.EmailMessage.message>` method is now an instance of Python's
:class:`email.message.EmailMessage`. This supports the same API as the
previous ``SafeMIMEText`` and ``SafeMIMEMultipart`` return types, but is not an
instance of those now-deprecated classes.

Minor features
--------------

:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* The Font Awesome Free icon set (version 6.7.2) is now used for the admin
interface icons.

* The new :attr:`.AdminSite.password_change_form` attribute allows customizing
the form used in the admin site password change view.

* Message levels ``messages.DEBUG`` and ``messages.INFO`` now have distinct
icons and CSS styling. Previously, both levels shared the same appearance as
``messages.SUCCESS``. Given that :meth:`.ModelAdmin.message_user` uses
``messages.INFO`` by default, set the level to ``messages.SUCCESS`` to keep
the previous icon and styling.

:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~

* The default iteration count for the PBKDF2 password hasher is increased from
1,000,000 to 1,200,000.

:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~

* The new :attr:`.GEOSGeometry.hasm` property checks whether the geometry has
the M dimension.

* The new :class:`~django.contrib.gis.db.models.functions.Rotate` database
function rotates a geometry by a specified angle around the origin or a
specified point.

* The new :attr:`.BaseGeometryWidget.base_layer` attribute allows specifying a
JavaScript map base layer, enabling customization of map tile providers.

* :lookup:`coveredby` and :lookup:`isvalid` lookups,
:class:`~django.contrib.gis.db.models.Collect` aggregation, and
:class:`~django.contrib.gis.db.models.functions.GeoHash` and
:class:`~django.contrib.gis.db.models.functions.IsValid` database functions
are now supported on MariaDB 12.0.1+.

* The new :lookup:`geom_type` lookup and
:class:`GeometryType() <django.contrib.gis.db.models.functions.GeometryType>`
database function allow filtering geometries by their types.

* Widgets from :mod:`django.contrib.gis.forms.widgets` now render without
inline JavaScript in templates. If you have customized any geometry widgets
or their templates, you may need to :ref:`update them
<geometry-widgets-customization>` to match the new layout.

:mod:`django.contrib.postgres`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* The new :class:`Lexeme <django.contrib.postgres.search.Lexeme>` expression
for full text search provides fine-grained control over search terms.
``Lexeme`` objects automatically escape their input and support logical
combination operators (``&``, ``|``, ``~``), prefix matching, and term
weighting.

* Model fields, indexes, and constraints from :mod:`django.contrib.postgres`
now include system checks to verify that ``django.contrib.postgres`` is an
installed app.

* The :class:`.CreateExtension`, :class:`.BloomExtension`,
:class:`.BtreeGinExtension`, :class:`.BtreeGistExtension`,
:class:`.CITextExtension`, :class:`.CryptoExtension`,
:class:`.HStoreExtension`, :class:`.TrigramExtension`, and
:class:`.UnaccentExtension` operations now support the optional ``hints``
parameter. This allows providing database hints to database routers to assist
them in :ref:`making routing decisions <topics-db-multi-db-hints>`.

:mod:`django.contrib.staticfiles`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :class:`~django.contrib.staticfiles.storage.ManifestStaticFilesStorage` now
ensures consistent path ordering in manifest files, making them more
reproducible and reducing unnecessary diffs.

* The :djadmin:`collectstatic` command now reports only a summary for skipped
files (and for deleted files when using ``--clear``) at ``--verbosity`` 1. To
see per-file details for either case, set ``--verbosity`` to 2 or higher.

Email
~~~~~

* The new ``policy`` argument for :meth:`EmailMessage.message()
<django.core.mail.EmailMessage.message>` allows specifying the email policy,
the set of rules for updating and serializing the representation of the
message. Defaults to :data:`email.policy.default`.

* :meth:`EmailMessage.attach() <django.core.mail.EmailMessage.attach>` now
accepts a :class:`~email.message.MIMEPart` object from Python's modern email
API.

Internationalization
~~~~~~~~~~~~~~~~~~~~

* Added support and translations for the Haitian Creole language.

Management Commands
~~~~~~~~~~~~~~~~~~~

* The :djadmin:`startproject` and :djadmin:`startapp` commands now create the
custom target directory if it doesn't exist.

* Common utilities, such as ``django.conf.settings``, are now automatically
imported to the :djadmin:`shell` by default.

Migrations
~~~~~~~~~~

* Squashed migrations can now themselves be squashed before being transitioned
to normal migrations.

* Migrations now support serialization of :class:`zoneinfo.ZoneInfo` instances.

* Serialization of deconstructible objects now supports keyword arguments with
names that are not valid Python identifiers.

Models
~~~~~~

* :doc:`Constraints </ref/models/constraints>` now implement a ``check()``
method that is already registered with the check framework.

* The new ``order_by`` argument for :class:`~django.db.models.Aggregate` allows
specifying the ordering of the elements in the result.

* The new :attr:`.Aggregate.allow_order_by` class attribute determines whether
the aggregate function allows passing an ``order_by`` keyword argument.

* The new :class:`~django.db.models.StringAgg` aggregate returns the input
values concatenated into a string, separated by the ``delimiter`` string.
This aggregate was previously supported only for PostgreSQL.

* The :meth:`~django.db.models.Model.save` method now raises a specialized
:exc:`Model.NotUpdated <django.db.models.Model.NotUpdated>` exception, when
:ref:`a forced update <ref-models-force-insert>` results in no affected rows,
instead of a generic :exc:`django.db.DatabaseError`.

* :meth:`.QuerySet.raw` now supports models with a
:class:`~django.db.models.CompositePrimaryKey`.

* Subqueries returning a :class:`~django.db.models.CompositePrimaryKey` can now
be used as the target of lookups other than ``__in``, such as ``__exact``.

* :class:`~django.db.models.JSONField` now supports
:ref:`negative array indexing <key-index-and-path-transforms>` on SQLite.

* The new :class:`~django.db.models.AnyValue` aggregate returns an arbitrary
value from the non-null input values. This is supported on SQLite, MySQL,
Oracle, and PostgreSQL 16+.

* :class:`~django.db.models.GeneratedField`\s and :ref:`fields assigned
expressions <avoiding-race-conditions-using-f>` are now refreshed from the
database after :meth:`~django.db.models.Model.save` on backends that support
the ``RETURNING`` clause (SQLite, PostgreSQL, and Oracle). On backends that
don't support it (MySQL and MariaDB), the fields are marked as deferred to
trigger a refresh on subsequent accesses.

* Using a :ref:`ForeignObject <cpk-and-relations>` with multiple
``from_fields`` in Model indexes, constraints, or :attr:`unique_together
<django.db.models.Options.unique_together>` now emits a system check error.

Pagination
~~~~~~~~~~

* The new :class:`~django.core.paginator.AsyncPaginator` and
:class:`~django.core.paginator.AsyncPage` provide async implementations of
:class:`~django.core.paginator.Paginator` and
:class:`~django.core.paginator.Page` respectively.

Requests and Responses
~~~~~~~~~~~~~~~~~~~~~~

* Multiple ``Cookie`` headers are now supported for HTTP/2 requests when
running with ASGI.

Templates
~~~~~~~~~

* The new variable ``forloop.length`` is now available within a :ttag:`for`
loop.

* The :ttag:`querystring` template tag now consistently prefixes the returned
query string with a ``?``, ensuring reliable link generation behavior.

* The :ttag:`querystring` template tag now accepts multiple positional
arguments, which must be mappings, such as :class:`~django.http.QueryDict`
or :class:`dict`.

Tests
~~~~~

* The :class:`.DiscoverRunner` now supports parallel test execution on systems
using the ``forkserver`` :mod:`multiprocessing` start method.

.. _backwards-incompatible-6.0:

Backwards incompatible changes in 6.0
=====================================

Database backend API
--------------------

This section describes changes that may be needed in third-party database
backends.

* :class:`~django.db.backends.base.schema.BaseDatabaseSchemaEditor` and
PostgreSQL backends no longer use ``CASCADE`` when dropping a column.

* ``DatabaseOperations.return_insert_columns()`` and
``DatabaseOperations.fetch_returned_insert_rows()`` methods are renamed to
``returning_columns()`` and ``fetch_returned_rows()``, respectively, to
denote they can be used in the context of ``UPDATE … RETURNING`` statements
as well as ``INSERT … RETURNING``.

* The ``DatabaseOperations.fetch_returned_insert_columns()`` method is removed
and the ``fetch_returned_rows()`` method replacing
``fetch_returned_insert_rows()`` expects both a ``cursor`` and
``returning_params`` to be provided, just like
``fetch_returned_insert_columns()`` did.

* If the database supports ``UPDATE … RETURNING`` statements, backends can set
``DatabaseFeatures.can_return_rows_from_update=True``.

Dropped support for MariaDB 10.5
--------------------------------

Upstream support for MariaDB 10.5 ends in June 2025. Django 6.0 supports
MariaDB 10.6 and higher.

Dropped support for Python < 3.12
---------------------------------

Because Python 3.12 is now the minimum supported version for Django, any
optional dependencies must also meet that requirement. The following versions
of each library are the first to add or confirm compatibility with Python 3.12:

* ``aiosmtpd`` 1.4.5
* ``argon2-cffi`` 23.1.0
* ``bcrypt`` 4.1.1
* ``docutils`` 0.22
* ``geoip2`` 4.8.0
* ``Pillow`` 10.1.0
* ``mysqlclient`` 2.2.1
* ``numpy`` 1.26.0
* ``PyYAML`` 6.0.2
* ``psycopg`` 3.1.12
* ``psycopg2`` 2.9.9
* ``redis-py`` 5.1.0
* ``selenium`` 4.23.0
* ``sqlparse`` 0.5.0
* ``tblib`` 3.0.0

Email
-----

* The undocumented ``mixed_subtype`` and ``alternative_subtype`` properties
of :class:`~django.core.mail.EmailMessage` and
:class:`~django.core.mail.EmailMultiAlternatives` are no longer supported.

* The undocumented ``encoding`` property of
:class:`~django.core.mail.EmailMessage` no longer supports Python legacy
:class:`email.charset.Charset` objects.

* As the internal implementations of :class:`~django.core.mail.EmailMessage`
and :class:`~django.core.mail.EmailMultiAlternatives` have changed
significantly, closely examine any custom subclasses that rely on overriding
undocumented, internal underscore methods.

``DEFAULT_AUTO_FIELD`` setting now defaults to ``BigAutoField``
---------------------------------------------------------------

Since Django 3.2, when the :setting:`DEFAULT_AUTO_FIELD` setting was added,
the default :djadmin:`startproject` template's ``settings.py`` contained::

 DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"

and the default :djadmin:`startapp` template's ``AppConfig`` contained::

 default_auto_field = "django.db.models.BigAutoField"

At that time, the default value of :setting:`DEFAULT_AUTO_FIELD` remained
:class:`django.db.models.AutoField` for backwards compatibility.

In Django 6.0, :setting:`DEFAULT_AUTO_FIELD` now defaults to
:class:`django.db.models.BigAutoField` and the aforementioned lines in the
project and app templates are removed.

Most projects shouldn't be affected, since Django 3.2 has raised the system
check warning **models.W042** for projects that don't set
:setting:`DEFAULT_AUTO_FIELD`.

If you haven't dealt with this warning by now, add
``DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'`` to your project's
settings, or ``default_auto_field = 'django.db.models.AutoField'`` to an app's
``AppConfig``, as needed.

Custom ORM expressions should return params as a tuple
------------------------------------------------------

Prior to Django 6.0, :doc:`custom lookups </howto/custom-lookups>` and
:ref:`custom expressions <writing-your-own-query-expressions>` implementing the
``as_sql()`` method (and its supporting methods ``process_lhs()`` and
``process_rhs()``) were allowed to return a sequence of params in either a list
or a tuple. To address the interoperability problems that resulted, the second
return element of the ``as_sql()`` method should now be a tuple::

def as_sql(self, compiler, connection) -> tuple[str, tuple]: ...

If your custom expressions support multiple versions of Django, you should
adjust any pre-processing of parameters to be resilient against either tuples
or lists. For instance, prefer unpacking like this::

params = (*lhs_params, *rhs_params)

Miscellaneous
-------------

* The :ref:`JSON <serialization-formats-json>` serializer now writes a newline
at the end of the output, even without the ``indent`` option set.

* The minimum supported version of ``asgiref`` is increased from 3.8.1 to
3.9.1.

.. currentmodule:: django.db.models

* :meth:`Field.pre_save` may now be called more than once when saving model
instances, so custom implementations should be idempotent and free of side
effects.

.. _deprecated-features-6.0:

Features deprecated in 6.0
==========================

Positional arguments in ``django.core.mail`` APIs
-------------------------------------------------

:mod:`django.core.mail` APIs now require keyword arguments for less commonly
used parameters. Using positional arguments for these now emits a deprecation
warning and will raise a :exc:`TypeError` when the deprecation period ends:

* All *optional* parameters (``fail_silently`` and later) must be passed as
keyword arguments to :func:`.get_connection`, :func:`.mail_admins`,
:func:`.mail_managers`, :func:`.send_mail`, and :func:`.send_mass_mail`.

* All parameters must be passed as keyword arguments when creating an
:class:`.EmailMessage` or :class:`.EmailMultiAlternatives` instance, except
for the first four (``subject``, ``body``, ``from_email``, and ``to``), which
may still be passed either as positional or keyword arguments.

Miscellaneous
-------------

* ``BaseDatabaseCreation.create_test_db(serialize)`` is deprecated. Use
``serialize_db_to_string()`` instead.

* The PostgreSQL ``StringAgg`` class is deprecated in favor of the generally
available :class:`~django.db.models.StringAgg` class.

* The PostgreSQL ``OrderableAggMixin`` is deprecated in favor of the
``order_by`` attribute now available on the
:class:`~django.db.models.Aggregate` class.

* The default protocol in :tfilter:`urlize` and :tfilter:`urlizetrunc` will
change from HTTP to HTTPS in Django 7.0. Set the transitional setting
:setting:`URLIZE_ASSUME_HTTPS` to ``True`` to opt into assuming HTTPS during
the Django 6.x release cycle.

* The :setting:`URLIZE_ASSUME_HTTPS` transitional setting is deprecated.

* Setting :setting:`ADMINS` or :setting:`MANAGERS` to a list of (name, address)
tuples is deprecated. Set to a list of email address strings instead. Django
never used the name portion. To include a name, format the address string as
``'"Name" <address>'`` or use Python's :func:`email.utils.formataddr`.

* Support for the ``orphans`` argument being larger than or equal to the
``per_page`` argument of :class:`django.core.paginator.Paginator` and
:class:`django.core.paginator.AsyncPaginator` is deprecated.

* Using a percent sign in a column alias or annotation is deprecated.

* Support for passing Python's legacy email :class:`~email.mime.base.MIMEBase`
object to
:meth:`EmailMessage.attach() <django.core.mail.EmailMessage.attach>` (or
including one in the message's ``attachments`` list) is deprecated. For
complex attachments requiring additional headers or parameters, switch to the
modern email API's :class:`~email.message.MIMEPart`.

* The ``django.core.mail.BadHeaderError`` exception is deprecated. Python's
modern email raises a :exc:`!ValueError` for email headers containing
prohibited characters.

* The ``django.core.mail.SafeMIMEText`` and ``SafeMIMEMultipart`` classes are
deprecated.

* The undocumented ``django.core.mail.forbid_multi_line_headers()`` and
``django.core.mail.message.sanitize_address()`` functions are deprecated.

Features removed in 6.0
=======================

These features have reached the end of their deprecation cycle and are removed
in Django 6.0.

See :ref:`deprecated-features-5.0` for details on these changes, including how
to remove usage of these features.

* Support for passing positional arguments to ``BaseConstraint`` is removed.

* The ``DjangoDivFormRenderer`` and ``Jinja2DivFormRenderer`` transitional form
renderers are removed.

* ``BaseDatabaseOperations.field_cast_sql()`` is removed.

* ``request`` is required in the signature of ``ModelAdmin.lookup_allowed()``
subclasses.

* Support for calling ``format_html()`` without passing args or kwargs is
removed.

* The default scheme for ``forms.URLField`` has changed from ``"http"`` to
``"https"``.

* The ``FORMS_URLFIELD_ASSUME_HTTPS`` transitional setting is removed.

* The ``django.db.models.sql.datastructures.Join`` no longer falls back to
``get_joining_columns()``.

* The ``get_joining_columns()`` method of ``ForeignObject`` and
``ForeignObjectRel`` is removed.

* The ``ForeignObject.get_reverse_joining_columns()`` method is removed.

* Support for ``cx_Oracle`` is removed.

* The ``ChoicesMeta`` alias to ``django.db.models.enums.ChoicesType`` is
removed.

* The ``Prefetch.get_current_queryset()`` method is removed.

* The ``get_prefetch_queryset()`` method of related managers and descriptors is
removed.

* ``get_prefetcher()`` and ``prefetch_related_objects()`` no longer fall back
to ``get_prefetch_queryset()``.

See :ref:`deprecated-features-5.1` for details on these changes, including how
to remove usage of these features.

* ``django.urls.register_converter()`` no longer allows overriding existing
converters.

* The ``ModelAdmin.log_deletion()`` and ``LogEntryManager.log_action()``
methods are removed.

* The undocumented ``django.utils.itercompat.is_iterable()`` function and the
``django.utils.itercompat`` module are removed.

* The ``django.contrib.gis.geoip2.GeoIP2.coords()`` method is removed.

* The ``django.contrib.gis.geoip2.GeoIP2.open()`` method is removed.

* Support for passing positional arguments to ``Model.save()`` and
``Model.asave()`` is removed.

* The setter for ``django.contrib.gis.gdal.OGRGeometry.coord_dim`` is removed.

* The ``check`` keyword argument of ``CheckConstraint`` is removed.

* The ``get_cache_name()`` method of ``FieldCacheMixin`` is removed.

* The ``OS_OPEN_FLAGS`` attribute of
:class:`~django.core.files.storage.FileSystemStorage` is removed.








===========================

5.2.11

===========================

*February 3, 2026*

Django 5.2.11 fixes three security issues with severity "high", two security
issues with severity "moderate", and one security issue with severity "low" in
5.2.10.

CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler
=================================================================================================

The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for
:doc:`authentication via mod_wsgi</howto/deployment/wsgi/apache-auth>`
allowed remote attackers to enumerate users via a timing attack.

This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.

CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI
==============================================================================================

When receiving duplicates of a single header, ``ASGIRequest`` allowed a remote
attacker to cause a potential denial-of-service via a specifically created
request with multiple duplicate headers. The vulnerability resulted from
repeated string concatenation while combining repeated headers, which
produced super-linear computation resulting in service degradation or outage.

This issue has severity "moderate" according to the :ref:`Django security
policy <security-disclosure>`.

CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
====================================================================

:ref:`Raster lookups <spatial-lookup-raster>` on GIS fields (only implemented
on PostGIS) were subject to SQL injection if untrusted data was used as a band
index.

As a reminder, all untrusted user input should be validated before use.

This issue has severity "high" according to the :ref:`Django security policy
<security-disclosure>`.

CVE-2026-1285: Potential denial-of-service vulnerability in ``django.utils.text.Truncator`` HTML methods
========================================================================================================

``django.utils.text.Truncator.chars()`` and ``Truncator.words()`` methods (with
``html=True``) and the :tfilter:`truncatechars_html` and
:tfilter:`truncatewords_html` template filters were subject to a potential
denial-of-service attack via certain inputs with a large number of unmatched
HTML end tags, which could cause quadratic time complexity during HTML parsing.

This issue has severity "moderate" according to the :ref:`Django security
policy <security-disclosure>`.

CVE-2026-1287: Potential SQL injection in column aliases via control characters
===============================================================================

:class:`.FilteredRelation` was subject to SQL injection in column aliases via
control characters, using a suitably crafted dictionary, with dictionary
expansion, as the ``**kwargs`` passed to :meth:`.QuerySet.annotate`,
:meth:`~.QuerySet.aggregate`, :meth:`~.QuerySet.extra`,
:meth:`~.QuerySet.values`, :meth:`~.QuerySet.values_list`, and
:meth:`~.QuerySet.alias`.

This issue has severity "high" according to the :ref:`Django security policy
<security-disclosure>`.

CVE-2026-1312: Potential SQL injection via ``QuerySet.order_by`` and ``FilteredRelation``
=========================================================================================

:meth:`.QuerySet.order_by` was subject to SQL injection in column aliases
containing periods when the same alias was, using a suitably crafted
dictionary, with dictionary expansion, used in :class:`.FilteredRelation`.

This issue has severity "high" according to the :ref:`Django security policy
<security-disclosure>`.


===========================

5.2.10

===========================

*January 6, 2026*

Django 5.2.10 fixes a data loss bug introduced in Django 5.2 and one bug
related to support for Python 3.14.

Bugfixes
========

* Fixed a bug in Django 5.2 where data exceeding ``max_length`` was silently
truncated by :meth:`.QuerySet.bulk_create` on PostgreSQL (:ticket:`33647`).

* Fixed a bug where management command colorized help (introduced in
Python 3.14) ignored the :option:`--no-color` option and the
:envvar:`DJANGO_COLORS` setting (:ticket:`36376`).


==========================

5.2.9

==========================

*December 2, 2025*

Django 5.2.9 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.2.8.

CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases on PostgreSQL
============================================================================================

:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
PostgreSQL.

CVE-2025-64460: Potential denial-of-service vulnerability in XML ``Deserializer``
=================================================================================

:ref:`XML Serialization <serialization-formats-xml>` was subject to a potential
denial-of-service attack due to quadratic time complexity when deserializing
crafted documents containing many nested invalid elements. The internal helper
``django.core.serializers.xml_serializer.getInnerText()`` previously
accumulated inner text inefficiently during recursion. It now collects text per
element, avoiding excessive resource usage.

Bugfixes
========

* Fixed a bug in Django 5.2 where
``django.utils.feedgenerator.Stylesheet.__str__()`` did not escape
the ``url``, ``mimetype``, and ``media`` attributes, potentially leading
to invalid XML markup (:ticket:`36733`).

* Fixed a bug in Django 5.2 on PostgreSQL where ``bulk_create()`` did not apply
a field's custom query placeholders (:ticket:`36748`).

* Fixed a regression in Django 5.2.2 that caused a crash when using aggregate
functions with an empty ``Q`` filter over a queryset with annotations
(:ticket:`36751`).

* Fixed a regression in Django 5.2.8 where ``DisallowedRedirect`` was raised by
:class:`~django.http.HttpResponseRedirect` and
:class:`~django.http.HttpResponsePermanentRedirect` for URLs longer than 2048
characters. The limit is now 16384 characters (:ticket:`36743`).

* Fixed a crash on Python 3.14+ that prevented template tag functions from
being registered when their type annotations required deferred evaluation
(:ticket:`36712`).


==========================

5.2.8

==========================

*November 5, 2025*

Django 5.2.8 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.2.7. It also adds compatibility
with Python 3.14.

CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
======================================================================================================================================

Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to :cve:`2025-27556`).

CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
===========================================================================

:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
and :class:`~.Q` were subject to SQL injection using a suitably crafted
dictionary, with dictionary expansion, as the ``_connector`` argument.

Bugfixes
========

* Added compatibility for ``oracledb`` 3.4.0 (:ticket:`36646`).

* Fixed a bug in Django 5.2 where ``QuerySet.first()`` and ``QuerySet.last()``
raised an error on querysets performing aggregation that selected all fields
of a composite primary key (:ticket:`36648`).

* Fixed a bug in Django 5.2 where proxy models having a ``CompositePrimaryKey``
incorrectly raised a ``models.E042`` system check error (:ticket:`36704`).


==========================

5.2.7

==========================

*October 1, 2025*

Django 5.2.7 fixes one security issue with severity "high", one security issue
with severity "low", and one bug in 5.2.6. Also, the latest string translations
from Transifex are incorporated.

CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
======================================================================================================================================

:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
to SQL injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
:cve:`2022-28346`).

CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()``
===============================================================================

The ``django.utils.archive.extract()`` function, used by
:option:`startapp --template` and :option:`startproject --template`, allowed
partial directory-traversal via an archive with file paths sharing a common
prefix with the target directory (follow up to :cve:`2021-3281`).

Bugfixes
========

* Fixed a regression in Django 5.2 that reduced the color contrast of
the chosen label of ``filter_horizontal`` and ``filter_vertical`` widgets
within a ``TabularInline`` (:ticket:`36601`).


==========================

5.2.6

==========================

*September 3, 2025*

Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5.

CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================

:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

Bugfixes
========

* Fixed a bug where using ``QuerySet.values()`` or ``values_list()`` with a
``ForeignObject`` composed of multiple fields returned incorrect results
instead of tuples of the referenced fields (:ticket:`36431`).


==========================

5.2.5

==========================

*August 6, 2025*

Django 5.2.5 fixes several bugs in 5.2.4.

Bugfixes
========

* Fixed a regression in Django 5.2.1 that prevented the usage of ``UNNEST``
PostgreSQL strategy of ``QuerySet.bulk_create()`` with foreign keys
(:ticket:`36502`).

* Fixed a crash in Django 5.2 when filtering against a composite primary key
using a tuple containing expressions (:ticket:`36522`).

* Fixed a crash in Django 5.2 when validating a model that uses
``GeneratedField`` or constraints composed of ``Q`` and ``Case`` lookups
(:ticket:`36518`).

* Added compatibility for ``docutils`` 0.22 (:ticket:`36535`).

* Fixed a crash in Django 5.2 when using a ``ManyToManyField`` on a model with
a composite primary key, by extending the ``fields.E347`` system check
(:ticket:`36530`).


==========================

5.2.4

==========================

*July 2, 2025*

Django 5.2.4 fixes several bugs in 5.2.3.

Bugfixes
========

* Fixed a regression in Django 5.2.2 where
:meth:`HttpRequest.get_preferred_type() <django.http.HttpRequest.get_preferred_type>`
incorrectly preferred more specific media types with a lower quality
(:ticket:`36447`).

* Fixed a regression in Django 5.2.3 where ``Value(None, JSONField())`` used in
a :class:`~django.db.models.expressions.When` condition was incorrectly
serialized as SQL ``NULL`` instead of JSON ``null`` (:ticket:`36453`).

* Fixed a crash in Django 5.2 when performing an ``__in`` lookup involving a
composite primary key and a subquery on backends that lack native support for
tuple lookups (:ticket:`36464`).


==========================

5.2.3

==========================

*June 10, 2025*

Django 5.2.3 fixes several bugs in 5.2.2. Also, the latest string translations
from Transifex are incorporated.

Bugfixes
========

* Fixed a log injection possibility by migrating remaining response logging
to ``django.utils.log.log_response()``, which safely escapes arguments such
as the request path to prevent unsafe log output (:cve:`2025-48432`).

* Fixed a regression in Django 5.2 that caused :meth:`.QuerySet.bulk_update` to
incorrectly convert ``None`` to JSON ``null`` instead of SQL ``NULL`` for
``JSONField`` (:ticket:`36419`).

* Fixed a regression in Django 5.2.2 where the ``q`` parameter was removed from
the internal ``django.http.MediaType.params`` property (:ticket:`36446`).


==========================

5.2.2

==========================

*June 4, 2025*

Django 5.2.2 fixes a security issue with severity "low" and several bugs in
5.2.1.

CVE-2025-48432: Potential log injection via unescaped request path
==================================================================

Internal HTTP response logging used ``request.path`` directly, allowing control
characters (e.g. newlines or ANSI escape sequences) to be written unescaped
into logs. This could enable log injection or forgery, letting attackers
manipulate log appearance or structure, especially in logs processed by
external systems or viewed in terminals.

Although this does not directly impact Django's security model, it poses risks
when logs are consumed or interpreted by other tools. To fix this, the internal
``django.utils.log.log_response()`` function now escapes all positional
formatting arguments using a safe encoding.

Bugfixes
========

* Fixed a crash when using ``select_related`` against a ``ForeignObject``
originating from a model with a ``CompositePrimaryKey`` (:ticket:`36373`).

* Fixed a bug in Django 5.2 where subqueries using ``"pk"`` to reference models
with a ``CompositePrimaryKey`` failed to raise ``ValueError`` when too many
or too few columns were selected (:ticket:`36392`).

* Fixed a regression in Django 5.2 that caused a crash when no arguments were
passed into ``QuerySet.union()`` (:ticket:`36388`).

* Fixed a regression in Django 5.2 where subclasses of ``RemoteUserMiddleware``
that had overridden ``process_request()`` were no longer supported
(:ticket:`36390`).

* Fixed a regression in Django 5.2 that caused a crash when using ``OuterRef``
in the ``filter`` argument of an ``Aggregate`` expression (:ticket:`36404`).

* Fixed a regression in Django 5.2 that caused a crash when using ``OuterRef``
in PostgreSQL aggregate functions ``ArrayAgg``, ``StringAgg``, and
``JSONBAgg`` (:ticket:`36405`).

* Fixed a regression in Django 5.2 where admin's ``filter_horizontal`` buttons
lacked ``type="button"``, causing them to intercept form submission when
pressing the Enter key (:ticket:`36423`).

* Fixed a bug in Django 5.2 where calling ``QuerySet.in_bulk()`` with an
``id_list`` argument on models with a ``CompositePrimaryKey`` failed to
observe database parameter limits (:ticket:`36416`).

* Fixed a bug in Django 5.2 where :meth:`HttpRequest.get_preferred_type()
<django.http.HttpRequest.get_preferred_type>` did not account for media type
parameters in ``Accept`` headers, reducing specificity in content negotiation
(:ticket:`36411`).

* Fixed a regression in Django 5.2 that caused a crash when using
``QuerySet.prefetch_related()`` to prefetch a foreign key with a ``Prefetch``
queryset for a subclass of the foreign target (:ticket:`36432`).


==========================

5.2.1

==========================

*May 7, 2025*

Django 5.2.1 fixes a security issue with severity "moderate" and several bugs
in 5.2.

This release was built using an upgraded :pypi:`setuptools`, producing
filenames compliant with :pep:`491` and :pep:`625` and thus addressing a PyPI
warning about non-compliant distribution filenames. This change only affects
the Django packaging process and does not impact Django's behavior.

CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================

:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.

:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.

Bugfixes
========

* Fixed a regression in Django 5.2 that caused a crash when annotating
aggregate expressions over query that uses explicit grouping by transforms
followed by field references (:ticket:`36292`).

* Fixed a regression in Django 5.2 that caused unnecessary queries when
prefetching nullable foreign key relationships (:ticket:`36290`).

* Fixed a regression in Django 5.2 that caused a crash of
``QuerySet.bulk_create()`` with nullable geometry fields on PostGIS
(:ticket:`36289`).

* Fixed a regression in Django 5.2 that caused fields to be incorrectly
selected when using ``QuerySet.alias()`` after ``values()``
(:ticket:`36299`).

* Fixed a data corruption possibility in ``file_move_safe()`` when
``allow_overwrite=True``, where leftover content from a previously larger
file could remain after overwriting with a smaller one due to lack of
truncation (:ticket:`36298`).

* Fixed a regression in Django 5.2 that caused a crash when using
``QuerySet.select_for_update(of=(…))`` with ``values()/values_list()``
including expressions (:ticket:`36301`).

* Fixed a regression in Django 5.2 that caused improper values to be returned
from ``QuerySet.values_list()`` when duplicate field names were specified
(:ticket:`36288`).

* Fixed a regression in Django 5.2 where the password validation error message
from ``MinimumLengthValidator`` was not translated when using non-English
locales (:ticket:`36314`).

* Fixed a regression in Django 5.2 that caused the ``object-tools`` block to be
rendered twice when using custom admin templates with overridden blocks due
to changes in the base admin page block structure (:ticket:`36331`).

* Fixed a regression in Django 5.2, introduced when fixing :cve:`2025-26699`,
where the :tfilter:`wordwrap` template filter did not preserve empty lines
between paragraphs after wrapping text (:ticket:`36341`).

* Fixed a regression in Django 5.2 that caused a crash when serializing email
alternatives or attachments due to named tuple mismatches (:ticket:`36309`).

* Fixed a regression in Django 5.2 that caused a crash when using ``update()``
on a ``QuerySet`` filtered against a related model and including references
to annotations through ``values()`` (:ticket:`36360`).

* Fixed a bug in Django 5.2 that caused composite primary key introspection to
wrongly identify ``IntegerField`` as ``AutoField`` on SQLite
(:ticket:`36358`).

* Fixed a bug in Django 5.2 that caused a redundant ``unique_together``
constraint to be generated for composite primary keys when using
:djadmin:`inspectdb` (:ticket:`36357`).


========================

5.2

========================

*April 2, 2025*

Welcome to Django 5.2!

These release notes cover the :ref:`new features <whats-new-5.2>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-5.2>` you
should be aware of when upgrading from Django 5.1 or earlier. We've
:ref:`begun the deprecation process for some features
<deprecated-features-5.2>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Django 5.2 is designated as a :term:`long-term support release
<Long-term support release>`. It will receive security updates for at least
three years after its release. Support for the previous LTS, Django 4.2, will
end in April 2026.

Python compatibility
====================

Django 5.2 supports Python 3.10, 3.11, 3.12, 3.13, and 3.14 (as of 5.2.8). We
**highly recommend** and only officially support the latest release of each
series.

.. _whats-new-5.2:

What's new in Django 5.2
========================

Automatic models import in the ``shell``
----------------------------------------

The :djadmin:`shell` management command now automatically imports models from
all installed apps. You can view further details of the imported objects by
setting the ``--verbosity`` flag to 2 or more:

.. console::

 $ python -Wall manage.py shell --verbosity=2
 6 objects imported automatically, including:

   from django.contrib.admin.models import LogEntry
   from django.contrib.auth.models import Group, Permission, User
   from django.contrib.contenttypes.models import ContentType
   from django.contrib.sessions.models import Session

This :ref:`behavior can be customized <customizing-shell-auto-imports>` to add
or remove automatic imports.

Composite Primary Keys
----------------------

The new :class:`django.db.models.CompositePrimaryKey` allows tables to be
created with a primary key consisting of multiple fields.

To use a composite primary key, when defining a model set the ``pk`` attribute
to be a ``CompositePrimaryKey``::

 from django.db import models


 class Release(models.Model):
     pk = models.CompositePrimaryKey("version", "name")
     version = models.IntegerField()
     name = models.CharField(max_length=20)

See :doc:`/topics/composite-primary-key` for more details.

Simplified override of :class:`~django.forms.BoundField`
--------------------------------------------------------

Prior to version 5.2, overriding :meth:`.Field.get_bound_field` was the only
option to use a custom :class:`~django.forms.BoundField`. Django now supports
specifying the following attributes to customize form rendering:

* :attr:`.BaseRenderer.bound_field_class` at the project level,
* :attr:`.Form.bound_f