fix(deps): update dependency django to v5.2.12 [security]

[uptick-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
django (changelog)	5.2.11 -> 5.2.12

---

Django has a Race Condition vulnerability

BIT-django-2026-25674 / CVE-2026-25674 / GHSA-mjgh-79qc-68w3

More information

Details

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.

Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary umask change affects other threads in multi-threaded environments.

Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-25674
• https://docs.djangoproject.com/en/dev/releases/security
• https://github.com/django/django
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/mar/03/security-releases

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Django vulnerable to Uncontrolled Resource Consumption

BIT-django-2026-25673 / CVE-2026-25673 / GHSA-8p8v-wh79-9r56

More information

Details

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.

URLField.to_python() in Django calls urllib.parse.urlsplit(), which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.

Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-25673
• https://docs.djangoproject.com/en/dev/releases/security
• https://github.com/django/django
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2026/mar/03/security-releases

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

django/django (django)

v5.2.12

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.