Oh, I Found a Security Issue (reloaded 2026)

Oh, I Found a Security Issue DjangoCon Europe 2026 —
Markus Holtermann @[email protected]

• Senior Software Engineer at Kraken Tech • Member of
the Django Security Team Hi, I’m Markus 👋

Date: Tue, 3 Mar 2026 11:15:45 -0300 From: Natalia Bidart
<*****@*****> To: django-announce <[email protected]> Subject: [django-announce] Django security releases issued: 6.0.3, 5.2.12, and 4.2.29 Details are available on the Django project weblog: https://www.djangoproject.com/weblog/2026/mar/03/security-releases/

Django’s Security Policy https://docs.djangoproject.com/en/dev /internals/security/ • Reporting security issues

Django’s Security Policy https://docs.djangoproject.com/en/dev /internals/security/ • Reporting security issues •
How does Django evaluate a report

How does Django evaluate a report • Security issue severity levels

How does Django evaluate a report • Security issue severity levels • Supported versions

How does Django evaluate a report • Security issue severity levels • Supported versions • How Django discloses security issues

Report

[email protected] Report

[email protected] Triage Report

Release Triage [email protected] Report

Release Triage [email protected] Report Announcement

How to apply this to your project?

Setup reporting channel

Setup reporting channel Monitor for reports

Setup reporting channel Monitor for reports Fix issues

Setup reporting channel Monitor for reports Fix issues Release and
announce

History of Security Issues

Number of CVEs per year

CVEs per classiﬁcation

Top 4 classiﬁcations by year

HackerOne Submissions

CVE 2025-64459 Potential SQL injection via _connector keyword argument in
QuerySet and Q objects

HackerOne Submissions

What’s next?

Thank you Contacts: Markus Holtermann Senior Software Engineer @[email protected]

Oh, I Found a Security Issue (reloaded 2026)

Oh, I Found a Security Issue (reloaded 2026)

Markus H

More Decks by Markus H

Other Decks in Technology

Featured

Transcript

Oh, I Found a Security Issue DjangoCon Europe 2026 —

• Senior Software Engineer at Kraken Tech • Member of

Date: Tue, 3 Mar 2026 11:15:45 -0300 From: Natalia Bidart

Django’s Security Policy https://docs.djangoproject.com/en/dev /internals/security/ • Reporting security issues

Django’s Security Policy https://docs.djangoproject.com/en/dev /internals/security/ • Reporting security issues •

Django’s Security Policy https://docs.djangoproject.com/en/dev /internals/security/ • Reporting security issues •

Django’s Security Policy https://docs.djangoproject.com/en/dev /internals/security/ • Reporting security issues •

Django’s Security Policy https://docs.djangoproject.com/en/dev /internals/security/ • Reporting security issues •

Report

[email protected] Report

[email protected] Triage Report

Release Triage [email protected] Report

Release Triage [email protected] Report Announcement

How to apply this to your project?

Setup reporting channel

Setup reporting channel Monitor for reports

Setup reporting channel Monitor for reports Fix issues

Setup reporting channel Monitor for reports Fix issues Release and

History of Security Issues

Number of CVEs per year

CVEs per classiﬁcation

Top 4 classiﬁcations by year

HackerOne Submissions

CVE 2025-64459 Potential SQL injection via _connector keyword argument in

HackerOne Submissions

HackerOne Submissions

What’s next?

Thank you Contacts: Markus Holtermann Senior Software Engineer @[email protected]