From afb8ad29924d5439b973f2d2653bb58ce577f8cf Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 1 Oct 2025 08:52:19 -0400
Subject: [PATCH 01/27] [5.2.x] Post-release version bump.

---
 django/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/django/__init__.py b/django/__init__.py
index 4a73d1fec593..caa03e41eae9 100644
--- a/django/__init__.py
+++ b/django/__init__.py
@@ -1,6 +1,6 @@
 from django.utils.version import get_version
 
-VERSION = (5, 2, 7, "final", 0)
+VERSION = (5, 2, 8, "alpha", 0)
 
 __version__ = get_version(VERSION)
 

From f94449ef69b3846f02f0ad3964192711b32f9ef6 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 1 Oct 2025 10:30:45 -0400
Subject: [PATCH 02/27] [5.2.x] Added stub release notes for 5.2.8.

Backport of 1324d9037e9281ec0fdd88c15b20881c7a6ea8b9 from main.
---
 docs/releases/5.2.8.txt | 13 +++++++++++++
 docs/releases/index.txt |  1 +
 2 files changed, 14 insertions(+)
 create mode 100644 docs/releases/5.2.8.txt

diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
new file mode 100644
index 000000000000..fd35dd6af53b
--- /dev/null
+++ b/docs/releases/5.2.8.txt
@@ -0,0 +1,13 @@
+==========================
+Django 5.2.8 release notes
+==========================
+
+*Expected November 5, 2025*
+
+Django 5.2.8 fixes several bugs in 5.2.7.
+
+Bugfixes
+========
+
+* ...
+
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 02f2762be1f9..f8d69ac1db6f 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   5.2.8
    5.2.7
    5.2.6
    5.2.5

From 071afc3d01d330ea48b79917a6227fff545d5620 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 1 Oct 2025 10:39:02 -0400
Subject: [PATCH 03/27] [5.2.x] Added CVE-2025-59681 and CVE-2025-59682 to
 security archive.

Backport of 43d84aef04a9e71164c21a74885996981857e66e from main.
---
 docs/releases/security.txt | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index df5571e374eb..78138060ba63 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -36,6 +36,30 @@ Issues under Django's security process
 All security issues have been handled under versions of Django's security
 process. These are listed below.
 
+October 1, 2025 - :cve:`2025-59681`
+-----------------------------------
+
+Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB.
+`Full description
+<https://www.djangoproject.com/weblog/2025/oct/01/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <4ceaaee7e04b416fc465e838a6ef43ca0ccffafe>`
+* Django 5.2 :commit:`(patch) <52fbae0a4dbbe5faa59827f8f05694a0065cc135>`
+* Django 5.1 :commit:`(patch) <01d2d770e22bffe53c7f1e611e2bbca94cb8a2e7>`
+* Django 4.2 :commit:`(patch) <38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5>`
+
+October 1, 2025 - :cve:`2025-59682`
+-----------------------------------
+
+Potential partial directory-traversal via ``archive.extract()``.
+`Full description
+<https://www.djangoproject.com/weblog/2025/oct/01/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <af067f56c1dd467df4abd0ddd409a700da1f03ba>`
+* Django 5.2 :commit:`(patch) <ed8fc39d77465eddbde1191a054ae965f6a8a584>`
+* Django 5.1 :commit:`(patch) <74fa85c688a87224637155902bcd738bb9e65e11>`
+* Django 4.2 :commit:`(patch) <9504bbaa392c9fe37eee9291f5b4c29eb6037619>`
+
 September 3, 2025 - :cve:`2025-57833`
 -------------------------------------
 

From 2fc538af33f455675ee9e61e5897f58609b6745c Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Wed, 1 Oct 2025 21:15:57 +0200
Subject: [PATCH 04/27] [5.2.x] Rewrapped security archive at 79 chars.

Backport of 1499c95d990fb776c39ad60e43228cbbbfcad3a8 from main.
---
 docs/releases/security.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index 78138060ba63..ff4f1d37890e 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -39,8 +39,8 @@ process. These are listed below.
 October 1, 2025 - :cve:`2025-59681`
 -----------------------------------
 
-Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB.
-`Full description
+Potential SQL injection in ``QuerySet.annotate()``, ``alias()``,
+``aggregate()``, and ``extra()`` on MySQL and MariaDB. `Full description
 <https://www.djangoproject.com/weblog/2025/oct/01/security-releases/>`__
 
 * Django 6.0 :commit:`(patch) <4ceaaee7e04b416fc465e838a6ef43ca0ccffafe>`

From 41bcb54bff9c90b05201881c0850f4ef938e2b55 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Thu, 25 Sep 2025 09:56:24 -0400
Subject: [PATCH 05/27] [5.2.x] Refs #36143, #28596 -- Avoided mentioning exact
 query parameter limit in bulk_create() docs.

Backport of 0a09c60e97166e0188717ff340b4d93b72207e96 from main.
---
 docs/ref/models/querysets.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt
index 7c76daa824bb..df9da9b1c799 100644
--- a/docs/ref/models/querysets.txt
+++ b/docs/ref/models/querysets.txt
@@ -2449,8 +2449,8 @@ This has a number of caveats though:
         Entry.objects.bulk_create(batch, batch_size)
 
 The ``batch_size`` parameter controls how many objects are created in a single
-query. The default is to create all objects in one batch, except for SQLite
-where the default is such that at most 999 variables per query are used.
+query. The default is to create as many objects in one batch as the database
+will allow. (SQLite and Oracle limit the number of parameters in a query.)
 
 On databases that support it (all but Oracle), setting the ``ignore_conflicts``
 parameter to ``True`` tells the database to ignore failure to insert any rows

From 2d2e1a6a9dbfe0cba58a4d2486c51fccdb501d55 Mon Sep 17 00:00:00 2001
From: Dani Fornons <fornons@gmail.com>
Date: Fri, 3 Oct 2025 12:20:28 +0200
Subject: [PATCH 06/27] [5.2.x] Fixed #36636, Refs #15902 -- Removed
 session-based storage reference from set_language() docs.

Backport of 2514857e3fae831106832cca8823237801cf2cad from main.
---
 django/views/i18n.py             | 6 +++---
 docs/topics/i18n/translation.txt | 7 +++----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/django/views/i18n.py b/django/views/i18n.py
index 771035d8ab29..04e37e4ac170 100644
--- a/django/views/i18n.py
+++ b/django/views/i18n.py
@@ -29,9 +29,9 @@ def builtin_template_path(name):
 
 def set_language(request):
     """
-    Redirect to a given URL while setting the chosen language in the session
-    (if enabled) and in a cookie. The URL and the language code need to be
-    specified in the request parameters.
+    Redirect to a given URL while setting the chosen language in the language
+    cookie. The URL and the language code need to be specified in the request
+    parameters.
 
     Since this view changes how the user will see the rest of the site, it must
     only be accessed as a POST request. If called as a GET request, it will
diff --git a/docs/topics/i18n/translation.txt b/docs/topics/i18n/translation.txt
index eacf2a323463..faeccbaecf09 100644
--- a/docs/topics/i18n/translation.txt
+++ b/docs/topics/i18n/translation.txt
@@ -1881,10 +1881,9 @@ Activate this view by adding the following line to your URLconf::
     language-independent itself to work correctly.
 
 The view expects to be called via the ``POST`` method, with a ``language``
-parameter set in request. If session support is enabled, the view saves the
-language choice in the user's session. It also saves the language choice in a
-cookie that is named ``django_language`` by default. (The name can be changed
-through the :setting:`LANGUAGE_COOKIE_NAME` setting.)
+parameter set in request. The view saves the language choice in a cookie that
+is named ``django_language`` by default. (The name can be changed through the
+:setting:`LANGUAGE_COOKIE_NAME` setting.)
 
 After setting the language choice, Django looks for a ``next`` parameter in the
 ``POST`` or ``GET`` data. If that is found and Django considers it to be a safe

From 084cbe1217a79230b7bc616a40e900baeb3a45d6 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Wed, 8 Oct 2025 10:58:59 +0200
Subject: [PATCH 07/27] [5.2.x] Added missing backticks in
 docs/ref/models/fields.txt.

Backport of 4a8ca8bd6906b705c4445bc915d71beda2fc4b84 from main
---
 docs/ref/models/fields.txt | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt
index 511b6e0215a9..de0b888f82da 100644
--- a/docs/ref/models/fields.txt
+++ b/docs/ref/models/fields.txt
@@ -1727,8 +1727,9 @@ The possible values for :attr:`~ForeignKey.on_delete` are found in
 
 * .. attribute:: CASCADE
 
-    Cascade deletes. Django emulates the behavior of the SQL constraint ON
-    DELETE CASCADE and also deletes the object containing the ForeignKey.
+    Cascade deletes. Django emulates the behavior of the SQL constraint ``ON
+    DELETE CASCADE`` and also deletes the object containing the
+    :class:`ForeignKey`.
 
     :meth:`.Model.delete` isn't called on related models, but the
     :data:`~django.db.models.signals.pre_delete` and
@@ -1947,9 +1948,9 @@ The possible values for :attr:`~ForeignKey.on_delete` are found in
 
     Setting it to ``False`` does not mean you can reference a swappable model
     even if it is swapped out - ``False`` means that the migrations made
-    with this ForeignKey will always reference the exact model you specify
-    (so it will fail hard if the user tries to run with a User model you don't
-    support, for example).
+    with this :class:`ForeignKey` will always reference the exact model you
+    specify (so it will fail hard if the user tries to run with a ``User``
+    model you don't support, for example).
 
     If in doubt, leave it to its default of ``True``.
 

From c05c5b80a6108f84f786da46ba5de3a4972b9b73 Mon Sep 17 00:00:00 2001
From: "Michiel W. Beijen" <mb@x14.nl>
Date: Fri, 6 Dec 2024 20:54:41 +0100
Subject: [PATCH 08/27] [5.2.x] Fixed #35961 -- Migrated license metadata in
 pyproject.toml to conform PEP 639.

See https://peps.python.org/pep-0639/ and
https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license-and-license-files.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>

Backport of 96a7a652166bece8acc96d6335ebb8091de2f496 from main.
---
 docs/intro/reusable-apps.txt | 4 ++--
 pyproject.toml               | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/intro/reusable-apps.txt b/docs/intro/reusable-apps.txt
index 3ed336e62c98..b353cdc9bb86 100644
--- a/docs/intro/reusable-apps.txt
+++ b/docs/intro/reusable-apps.txt
@@ -209,7 +209,7 @@ this. For a small app like polls, this process isn't too difficult.
        :caption: ``django-polls/pyproject.toml``
 
        [build-system]
-       requires = ["setuptools>=69.3"]
+       requires = ["setuptools>=77.0.3"]
        build-backend = "setuptools.build_meta"
 
        [project]
@@ -220,6 +220,7 @@ this. For a small app like polls, this process isn't too difficult.
        ]
        description = "A Django app to conduct web-based polls."
        readme = "README.rst"
+       license = "BSD-3-Clause"
        requires-python = ">= 3.10"
        authors = [
            {name = "Your Name", email = "yourname@example.com"},
@@ -229,7 +230,6 @@ this. For a small app like polls, this process isn't too difficult.
            "Framework :: Django",
            "Framework :: Django :: X.Y",  # Replace "X.Y" as appropriate
            "Intended Audience :: Developers",
-           "License :: OSI Approved :: BSD License",
            "Operating System :: OS Independent",
            "Programming Language :: Python",
            "Programming Language :: Python :: 3",
diff --git a/pyproject.toml b/pyproject.toml
index a2b438cf024c..3306ef9cef9a 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,5 +1,5 @@
 [build-system]
-requires = ["setuptools>=75.8.1"]
+requires = ["setuptools>=77.0.3"]
 build-backend = "setuptools.build_meta"
 
 [project]
@@ -16,13 +16,13 @@ authors = [
 ]
 description = "A high-level Python web framework that encourages rapid development and clean, pragmatic design."
 readme = "README.rst"
-license = {text = "BSD-3-Clause"}
+license = "BSD-3-Clause"
+license-files = ["LICENSE", "LICENSE.python"]
 classifiers = [
     "Development Status :: 5 - Production/Stable",
     "Environment :: Web Environment",
     "Framework :: Django",
     "Intended Audience :: Developers",
-    "License :: OSI Approved :: BSD License",
     "Operating System :: OS Independent",
     "Programming Language :: Python",
     "Programming Language :: Python :: 3",

From 80b9c8f5292dfa38469a1e85314cc45b8374eb22 Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Thu, 28 Aug 2025 17:19:20 -0300
Subject: [PATCH 09/27] [5.2.x] Fixed #36526 -- Doc'd QuerySet.bulk_update()
 memory usage when batching.

Thanks Simon Charette for the review.

Backport of 608d3ebc8889863d43be1090d634b9507fe4a85e from main.
---
 docs/ref/models/querysets.txt | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt
index df9da9b1c799..f509e7d616a4 100644
--- a/docs/ref/models/querysets.txt
+++ b/docs/ref/models/querysets.txt
@@ -2510,6 +2510,21 @@ them, but it has a few caveats:
 * If updating a large number of columns in a large number of rows, the SQL
   generated can be very large. Avoid this by specifying a suitable
   ``batch_size``.
+* When updating a large number of objects, be aware that ``bulk_update()``
+  prepares all of the ``WHEN`` clauses for every object across all batches
+  before executing any queries. This can require more memory than expected. To
+  reduce memory usage, you can use an approach like this::
+
+    from itertools import islice
+
+    batch_size = 100
+    ids_iter = range(1000)
+    while ids := list(islice(ids_iter, batch_size)):
+        batch = Entry.objects.filter(ids__in=ids)
+        for entry in batch:
+            entry.headline = f"Updated headline {entry.pk}"
+        Entry.objects.bulk_update(batch, ["headline"], batch_size=batch_size)
+
 * Updating fields defined on multi-table inheritance ancestors will incur an
   extra query per ancestor.
 * When an individual batch contains duplicates, only the first instance in that

From 713e9d8f53c20a785e766477fa5270575833193e Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Thu, 9 Oct 2025 20:01:31 +0200
Subject: [PATCH 10/27] [5.2.x] Corrected admin check IDs in docs.

Backport of 1167cd1d639c3fee69dbdef351d31e8a17d1fedf from main
---
 docs/ref/checks.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt
index fd0983dfadcd..fe33990a22d2 100644
--- a/docs/ref/checks.txt
+++ b/docs/ref/checks.txt
@@ -814,11 +814,11 @@ The following checks are performed on any
 :class:`~django.contrib.contenttypes.admin.GenericInlineModelAdmin` that is
 registered as an inline on a :class:`~django.contrib.admin.ModelAdmin`.
 
-* **admin.E301**: ``'ct_field'`` references ``<label>``, which is not a field
+* **admin.E301**: ``<model>`` has no ``GenericForeignKey``.
+* **admin.E302**: ``'ct_field'`` references ``<label>``, which is not a field
   on ``<model>``.
-* **admin.E302**: ``'ct_fk_field'`` references ``<label>``, which is not a
+* **admin.E303**: ``'ct_fk_field'`` references ``<label>``, which is not a
   field on ``<model>``.
-* **admin.E303**: ``<model>`` has no ``GenericForeignKey``.
 * **admin.E304**: ``<model>`` has no ``GenericForeignKey`` using content type
   field ``<field name>`` and object ID field ``<field name>``.
 

From 88ef9ea6c5840ea9925a3975cb1126651dff8b3d Mon Sep 17 00:00:00 2001
From: Simon Charette <charette.s@gmail.com>
Date: Wed, 8 Oct 2025 18:20:57 +0200
Subject: [PATCH 11/27] [5.2.x] Fixed #36646 -- Added compatibility for
 oracledb 3.4.0.

The Database.Binary, Date, and Timestamp attributes were changed from
aliases to bytes, datetime.date, and datetime.datetime to factory
functions in oracle/python-oracledb@869a887819cdac7fcd610f9d9d463ade49ea7
which made their usage inadequate for isinstance checks.

Thanks John Wagenleitner for the report and Natalia for the triage.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>

Backport of 315dbe675df338ae66c8fa43274a76ecbed7ef67 from main
---
 django/db/backends/oracle/base.py       | 2 +-
 django/db/backends/oracle/operations.py | 4 ++--
 django/db/backends/oracle/utils.py      | 2 +-
 docs/releases/5.2.8.txt                 | 3 +--
 4 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/django/db/backends/oracle/base.py b/django/db/backends/oracle/base.py
index 3b37c38f9723..71089c116620 100644
--- a/django/db/backends/oracle/base.py
+++ b/django/db/backends/oracle/base.py
@@ -438,7 +438,7 @@ def __init__(self, param, cursor, strings_only=False):
                 param = 0
         if hasattr(param, "bind_parameter"):
             self.force_bytes = param.bind_parameter(cursor)
-        elif isinstance(param, (Database.Binary, datetime.timedelta)):
+        elif isinstance(param, (bytes, datetime.timedelta)):
             self.force_bytes = param
         else:
             # To transmit to the database, we need Unicode if supported
diff --git a/django/db/backends/oracle/operations.py b/django/db/backends/oracle/operations.py
index 59eecdba200c..14c69a59ff80 100644
--- a/django/db/backends/oracle/operations.py
+++ b/django/db/backends/oracle/operations.py
@@ -273,12 +273,12 @@ def convert_datetimefield_value(self, value, expression, connection):
         return value
 
     def convert_datefield_value(self, value, expression, connection):
-        if isinstance(value, Database.Timestamp):
+        if isinstance(value, datetime.datetime):
             value = value.date()
         return value
 
     def convert_timefield_value(self, value, expression, connection):
-        if isinstance(value, Database.Timestamp):
+        if isinstance(value, datetime.datetime):
             value = value.time()
         return value
 
diff --git a/django/db/backends/oracle/utils.py b/django/db/backends/oracle/utils.py
index 57d97b3f771e..d69414240c64 100644
--- a/django/db/backends/oracle/utils.py
+++ b/django/db/backends/oracle/utils.py
@@ -24,7 +24,7 @@ class InsertVar:
         "BooleanField": int,
         "FloatField": Database.DB_TYPE_BINARY_DOUBLE,
         "DateTimeField": Database.DB_TYPE_TIMESTAMP,
-        "DateField": Database.Date,
+        "DateField": datetime.date,
         "DecimalField": decimal.Decimal,
     }
 
diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
index fd35dd6af53b..ef18d080228c 100644
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -9,5 +9,4 @@ Django 5.2.8 fixes several bugs in 5.2.7.
 Bugfixes
 ========
 
-* ...
-
+* Added compatibility for ``oracledb`` 3.4.0 (:ticket:`36646`).

From 94cbd67d9eb9712be5518c3d5b4c17eac2e63629 Mon Sep 17 00:00:00 2001
From: arsalan64 <68010697+arsalan64@users.noreply.github.com>
Date: Sat, 27 Sep 2025 16:13:13 +0200
Subject: [PATCH 12/27] [5.2.x] Fixed #36625 -- Mentioned exit() in tutorial's
 instruction to restart the shell.

Backport of 92d0c21e69901cb7b749040670d3e6611353e1fa from main.
---
 docs/intro/tutorial02.txt | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/docs/intro/tutorial02.txt b/docs/intro/tutorial02.txt
index 6a87d2d01c24..e5019f33cf48 100644
--- a/docs/intro/tutorial02.txt
+++ b/docs/intro/tutorial02.txt
@@ -438,8 +438,13 @@ time-zone-related utilities in :mod:`django.utils.timezone`, respectively. If
 you aren't familiar with time zone handling in Python, you can learn more in
 the :doc:`time zone support docs </topics/i18n/timezones>`.
 
-Save these changes and start a new Python interactive shell by running
-``python manage.py shell`` again:
+Save these changes and start a new Python interactive shell. (If a
+three-chevron prompt (>>>) indicates you are still in the shell, you need to
+exit first using ``exit()``). Run ``python manage.py shell`` again to reload
+the models.
+
+.. RemovedInDjango70Warning: When Python 3.12 is no longer supported,
+  ``exit()`` can be replaced with ``exit``.
 
 .. code-block:: pycon
 

From 8baee531d40cd6ee8b342dbcf2c7924d20694969 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Mon, 13 Oct 2025 17:22:17 -0400
Subject: [PATCH 13/27] [5.2.x] Fixed #36648, Refs #33772 -- Accounted for
 composite pks in first()/last() when aggregating.

Backport of 02eed4f37879b2077496f86bb1378a076b981233 from main.
---
 django/db/models/query.py            | 10 ++++++++--
 docs/releases/5.2.8.txt              |  4 ++++
 tests/composite_pk/test_aggregate.py | 20 ++++++++++++++++++++
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/django/db/models/query.py b/django/db/models/query.py
index 12701416190c..535d91d7677d 100644
--- a/django/db/models/query.py
+++ b/django/db/models/query.py
@@ -2031,8 +2031,14 @@ def _check_operator_queryset(self, other, operator_):
             raise TypeError(f"Cannot use {operator_} operator with combined queryset.")
 
     def _check_ordering_first_last_queryset_aggregation(self, method):
-        if isinstance(self.query.group_by, tuple) and not any(
-            col.output_field is self.model._meta.pk for col in self.query.group_by
+        if (
+            isinstance(self.query.group_by, tuple)
+            # Raise if the pk fields are not in the group_by.
+            and self.model._meta.pk
+            not in {col.output_field for col in self.query.group_by}
+            and set(self.model._meta.pk_fields).difference(
+                {col.target for col in self.query.group_by}
+            )
         ):
             raise TypeError(
                 f"Cannot use QuerySet.{method}() on an unordered queryset performing "
diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
index ef18d080228c..dc750e4636f0 100644
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -10,3 +10,7 @@ Bugfixes
 ========
 
 * Added compatibility for ``oracledb`` 3.4.0 (:ticket:`36646`).
+
+* Fixed a bug in Django 5.2 where ``QuerySet.first()`` and ``QuerySet.last()``
+  raised an error on querysets performing aggregation that selected all fields
+  of a composite primary key.
diff --git a/tests/composite_pk/test_aggregate.py b/tests/composite_pk/test_aggregate.py
index d852fdce30c0..8a2067cb90cf 100644
--- a/tests/composite_pk/test_aggregate.py
+++ b/tests/composite_pk/test_aggregate.py
@@ -141,3 +141,23 @@ def test_max_pk(self):
         msg = "Max expression does not support composite primary keys."
         with self.assertRaisesMessage(ValueError, msg):
             Comment.objects.aggregate(Max("pk"))
+
+    def test_first_from_unordered_queryset_aggregation_pk_selected(self):
+        self.assertEqual(
+            Comment.objects.values("pk").annotate(max=Max("id")).first(),
+            {"pk": (1, 1), "max": 1},
+        )
+
+    def test_first_from_unordered_queryset_aggregation_pk_selected_separately(self):
+        self.assertEqual(
+            Comment.objects.values("tenant", "id").annotate(max=Max("id")).first(),
+            {"tenant": 1, "id": 1, "max": 1},
+        )
+
+    def test_first_from_unordered_queryset_aggregation_pk_incomplete(self):
+        msg = (
+            "Cannot use QuerySet.first() on an unordered queryset performing "
+            "aggregation. Add an ordering with order_by()."
+        )
+        with self.assertRaisesMessage(TypeError, msg):
+            Comment.objects.values("tenant").annotate(max=Max("id")).first()

From dc61f205781733f41dd3630f5ca48bccda6c0cbc Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 15 Oct 2025 22:18:33 -0400
Subject: [PATCH 14/27] [5.2.x] Refs #36648 -- Removed hardcoded pk in
 CompositePKAggregateTests.

Backport of bee64561a6e8cd22995c2b1254bab66dae892a6d from main.
---
 tests/composite_pk/test_aggregate.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/composite_pk/test_aggregate.py b/tests/composite_pk/test_aggregate.py
index 8a2067cb90cf..43f9e7a7cde5 100644
--- a/tests/composite_pk/test_aggregate.py
+++ b/tests/composite_pk/test_aggregate.py
@@ -145,13 +145,13 @@ def test_max_pk(self):
     def test_first_from_unordered_queryset_aggregation_pk_selected(self):
         self.assertEqual(
             Comment.objects.values("pk").annotate(max=Max("id")).first(),
-            {"pk": (1, 1), "max": 1},
+            {"pk": (self.comment_1.tenant_id, 1), "max": 1},
         )
 
     def test_first_from_unordered_queryset_aggregation_pk_selected_separately(self):
         self.assertEqual(
             Comment.objects.values("tenant", "id").annotate(max=Max("id")).first(),
-            {"tenant": 1, "id": 1, "max": 1},
+            {"tenant": self.comment_1.tenant_id, "id": 1, "max": 1},
         )
 
     def test_first_from_unordered_queryset_aggregation_pk_incomplete(self):

From 83f6fe810df8558339495ad717e216b14d34f461 Mon Sep 17 00:00:00 2001
From: aj2s <72272843+aj2s@users.noreply.github.com>
Date: Fri, 17 Oct 2025 07:20:23 -0700
Subject: [PATCH 15/27] [5.2.x] Fixed #36669 -- Doc'd that negative indexes are
 not supported in F() slices.

Backport of f715bc8990b5b8a1df948c2b71e8edbdda47e7db from main.
---
 docs/ref/models/expressions.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/ref/models/expressions.txt b/docs/ref/models/expressions.txt
index b745135bfa53..b6512bff72d5 100644
--- a/docs/ref/models/expressions.txt
+++ b/docs/ref/models/expressions.txt
@@ -192,8 +192,8 @@ Slicing ``F()`` expressions
 
 For string-based fields, text-based fields, and
 :class:`~django.contrib.postgres.fields.ArrayField`, you can use Python's
-array-slicing syntax. The indices are 0-based and the ``step`` argument to
-``slice`` is not supported. For example:
+array-slicing syntax. The indices are 0-based. The ``step`` argument to
+``slice`` and negative indexing are not supported. For example:
 
 .. code-block:: pycon
 

From a8c9b5b2636ebda87d938b61cbf4bfec476ca0c9 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Mon, 13 Oct 2025 16:34:26 +0200
Subject: [PATCH 16/27] [5.2.x] Refs #35844 -- Doc'd Python 3.14 compatibility.

Backport of 56977b466c33ca3da14a1ed2609172425a76a34e from main.
---
 .github/workflows/docs.yml           |  4 ++--
 .github/workflows/linters.yml        |  4 ++--
 .github/workflows/schedule_tests.yml | 10 +++++-----
 .github/workflows/selenium.yml       |  4 ++--
 .github/workflows/tests.yml          |  2 +-
 docs/faq/install.txt                 |  2 +-
 docs/howto/windows.txt               |  4 ++--
 docs/intro/reusable-apps.txt         |  1 +
 docs/releases/5.2.8.txt              |  3 ++-
 docs/releases/5.2.txt                |  5 +++--
 pyproject.toml                       |  1 +
 tests/mail/tests.py                  |  2 +-
 tests/requirements/py3.txt           |  4 ++--
 tox.ini                              |  2 +-
 14 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 46c2cf870724..b13a9bab4a39 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -29,7 +29,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
           cache: 'pip'
           cache-dependency-path: 'docs/requirements.txt'
       - run: python -m pip install -r docs/requirements.txt
@@ -47,7 +47,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
       - run: python -m pip install blacken-docs
       - name: Build docs
         run: |
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index d89085b4a783..0f64cae68193 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
       - run: python -m pip install flake8
       - name: flake8
         # Pinned to v3.0.0.
@@ -44,7 +44,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
       - run: python -m pip install "isort<6"
       - name: isort
         # Pinned to v3.0.0.
diff --git a/.github/workflows/schedule_tests.yml b/.github/workflows/schedule_tests.yml
index 5e6038fb3115..dc3157f51bd1 100644
--- a/.github/workflows/schedule_tests.yml
+++ b/.github/workflows/schedule_tests.yml
@@ -20,7 +20,7 @@ jobs:
           - '3.11'
           - '3.12'
           - '3.13'
-          - '3.14-dev'
+          - '3.14'
     name: Windows, SQLite, Python ${{ matrix.python-version }}
     continue-on-error: true
     steps:
@@ -47,7 +47,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
           cache: 'pip'
       - name: Install libmemcached-dev for pylibmc
         run: sudo apt-get install libmemcached-dev
@@ -146,7 +146,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
           cache: 'pip'
           cache-dependency-path: 'tests/requirements/py3.txt'
       - name: Install libmemcached-dev for pylibmc
@@ -182,7 +182,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
           cache: 'pip'
           cache-dependency-path: 'tests/requirements/py3.txt'
       - name: Install libmemcached-dev for pylibmc
@@ -227,7 +227,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
           cache: 'pip'
           cache-dependency-path: 'tests/requirements/py3.txt'
       - name: Install libmemcached-dev for pylibmc
diff --git a/.github/workflows/selenium.yml b/.github/workflows/selenium.yml
index 14a95f3b66a5..de36f1c08488 100644
--- a/.github/workflows/selenium.yml
+++ b/.github/workflows/selenium.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
           cache: 'pip'
           cache-dependency-path: 'tests/requirements/py3.txt'
       - name: Install libmemcached-dev for pylibmc
@@ -61,7 +61,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: '3.14'
           cache: 'pip'
           cache-dependency-path: 'tests/requirements/py3.txt'
       - name: Install libmemcached-dev for pylibmc
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 3373f82e0a52..2ae1e3ef9034 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -23,7 +23,7 @@ jobs:
     strategy:
       matrix:
         python-version:
-          - '3.13'
+          - '3.14'
     name: Windows, SQLite, Python ${{ matrix.python-version }}
     steps:
       - name: Checkout
diff --git a/docs/faq/install.txt b/docs/faq/install.txt
index dcbae30ae3e7..c9865352712d 100644
--- a/docs/faq/install.txt
+++ b/docs/faq/install.txt
@@ -53,7 +53,7 @@ Django version Python versions
 4.2            3.8, 3.9, 3.10, 3.11, 3.12 (added in 4.2.8)
 5.0            3.10, 3.11, 3.12
 5.1            3.10, 3.11, 3.12, 3.13 (added in 5.1.3)
-5.2            3.10, 3.11, 3.12, 3.13
+5.2            3.10, 3.11, 3.12, 3.13, 3.14 (added in 5.2.8)
 ============== ===============
 
 For each version of Python, only the latest micro release (A.B.C) is officially
diff --git a/docs/howto/windows.txt b/docs/howto/windows.txt
index 235b18a24ff3..63e497be04c5 100644
--- a/docs/howto/windows.txt
+++ b/docs/howto/windows.txt
@@ -2,7 +2,7 @@
 How to install Django on Windows
 ================================
 
-This document will guide you through installing Python 3.13 and Django on
+This document will guide you through installing Python 3.14 and Django on
 Windows. It also provides instructions for setting up a virtual environment,
 which makes it easier to work on Python projects. This is meant as a beginner's
 guide for users working on Django projects and does not reflect how Django
@@ -18,7 +18,7 @@ Install Python
 ==============
 
 Django is a Python web framework, thus requiring Python to be installed on your
-machine. At the time of writing, Python 3.13 is the latest version.
+machine. At the time of writing, Python 3.14 is the latest version.
 
 To install Python on your machine go to https://www.python.org/downloads/. The
 website should offer you a download button for the latest Python version.
diff --git a/docs/intro/reusable-apps.txt b/docs/intro/reusable-apps.txt
index b353cdc9bb86..6148b4e94b2c 100644
--- a/docs/intro/reusable-apps.txt
+++ b/docs/intro/reusable-apps.txt
@@ -238,6 +238,7 @@ this. For a small app like polls, this process isn't too difficult.
            "Programming Language :: Python :: 3.11",
            "Programming Language :: Python :: 3.12",
            "Programming Language :: Python :: 3.13",
+           "Programming Language :: Python :: 3.14",
            "Topic :: Internet :: WWW/HTTP",
            "Topic :: Internet :: WWW/HTTP :: Dynamic Content",
        ]
diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
index dc750e4636f0..415101238732 100644
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -4,7 +4,8 @@ Django 5.2.8 release notes
 
 *Expected November 5, 2025*
 
-Django 5.2.8 fixes several bugs in 5.2.7.
+Django 5.2.8 fixes several bugs in 5.2.7 and adds compatibility with Python
+3.14.
 
 Bugfixes
 ========
diff --git a/docs/releases/5.2.txt b/docs/releases/5.2.txt
index 20d82db98e0a..b80c8effd208 100644
--- a/docs/releases/5.2.txt
+++ b/docs/releases/5.2.txt
@@ -23,8 +23,9 @@ end in April 2026.
 Python compatibility
 ====================
 
-Django 5.2 supports Python 3.10, 3.11, 3.12, and 3.13. We **highly recommend**
-and only officially support the latest release of each series.
+Django 5.2 supports Python 3.10, 3.11, 3.12, 3.13, and 3.14 (as of 5.2.8). We
+**highly recommend** and only officially support the latest release of each
+series.
 
 .. _whats-new-5.2:
 
diff --git a/pyproject.toml b/pyproject.toml
index 3306ef9cef9a..a8381a122ad0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -31,6 +31,7 @@ classifiers = [
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
     "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
     "Topic :: Internet :: WWW/HTTP",
     "Topic :: Internet :: WWW/HTTP :: Dynamic Content",
     "Topic :: Internet :: WWW/HTTP :: WSGI",
diff --git a/tests/mail/tests.py b/tests/mail/tests.py
index 833b68874159..e017c7f9cfbe 100644
--- a/tests/mail/tests.py
+++ b/tests/mail/tests.py
@@ -185,7 +185,7 @@ def test_nonascii_as_string_with_ascii_charset(self, mock_set_payload):
         """Line length check should encode the payload supporting `surrogateescape`.
 
         Following https://github.com/python/cpython/issues/76511, newer
-        versions of Python (3.11.9, 3.12.3 and 3.13) ensure that a message's
+        versions of Python (3.11.9, 3.12.3 and 3.13+) ensure that a message's
         payload is encoded with the provided charset and `surrogateescape` is
         used as the error handling strategy.
 
diff --git a/tests/requirements/py3.txt b/tests/requirements/py3.txt
index f0e208a115cb..a9679af97ca6 100644
--- a/tests/requirements/py3.txt
+++ b/tests/requirements/py3.txt
@@ -6,8 +6,8 @@ black
 docutils >= 0.19
 geoip2
 jinja2 >= 2.11.0
-numpy; python_version < '3.14'
-Pillow >= 6.2.1; sys.platform != 'win32' or python_version < '3.14'
+numpy
+Pillow >= 6.2.1
 # pylibmc/libmemcached can't be built on Windows.
 pylibmc; sys_platform != 'win32'
 pymemcache >= 3.4.0
diff --git a/tox.ini b/tox.ini
index 7a76693f2116..9d4bab43b4e3 100644
--- a/tox.ini
+++ b/tox.ini
@@ -26,7 +26,7 @@ setenv =
     PYTHONDONTWRITEBYTECODE=1
 deps =
     -e .
-    py{3,310,311,312,313,py3}: -rtests/requirements/py3.txt
+    py{3,310,311,312,313,314,py3}: -rtests/requirements/py3.txt
     postgres: -rtests/requirements/postgres.txt
     mysql: -rtests/requirements/mysql.txt
     oracle: -rtests/requirements/oracle.txt

From 796456d84e71de493fcdd97bb46939745c4b0d27 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Mon, 20 Oct 2025 16:03:39 +0200
Subject: [PATCH 17/27] [5.2.x] Fixed
 RelatedGeoModelTest.test_related_union_aggregate() test on Oracle and GEOS
 3.12+.

Backport of 344ae16e1e21ab7c0b594d755519738f7f16eaf1 from main
---
 tests/gis_tests/relatedapp/tests.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/tests/gis_tests/relatedapp/tests.py b/tests/gis_tests/relatedapp/tests.py
index 303d3577058d..3b0339ffa98f 100644
--- a/tests/gis_tests/relatedapp/tests.py
+++ b/tests/gis_tests/relatedapp/tests.py
@@ -99,10 +99,15 @@ def test_related_union_aggregate(self):
         self.assertEqual(type(u3), MultiPoint)
 
         # Ordering of points in the result of the union is not defined and
-        # implementation-dependent (DB backend, GEOS version)
-        self.assertEqual({p.ewkt for p in ref_u1}, {p.ewkt for p in u1})
-        self.assertEqual({p.ewkt for p in ref_u2}, {p.ewkt for p in u2})
-        self.assertEqual({p.ewkt for p in ref_u1}, {p.ewkt for p in u3})
+        # implementation-dependent (DB backend, GEOS version).
+        tests = [
+            (u1, ref_u1),
+            (u2, ref_u2),
+            (u3, ref_u1),
+        ]
+        for union, ref in tests:
+            for point, ref_point in zip(sorted(union), sorted(ref), strict=True):
+                self.assertIs(point.equals_exact(ref_point, tolerance=6), True)
 
     def test05_select_related_fk_to_subclass(self):
         """

From 9b37bd5fe73b0d614ad8e503071d6f7bf2bdf6b2 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Tue, 21 Oct 2025 21:11:44 +0200
Subject: [PATCH 18/27] [5.2.x] Made
 RemoteTestResultTest.test_pickle_errors_detection() compatible with tblib
 3.2+.

tblib 3.2+ makes exception subclasses with __init__() and the default
__reduce__() picklable. This broke the test for
RemoteTestResult._confirm_picklable(), which expects a specific
exception to fail unpickling.

https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21

This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way
that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj))
raises TypeError.

Refs #27301. This preserves the intent of the regression test from
52188a5ca6bafea0a66f17baacb315d61c7b99cd without skipping it.

Backport of 548209e620b3ca34396a360453f07c8dbb8aa6c7 from main.
---
 tests/test_runner/test_parallel.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/test_runner/test_parallel.py b/tests/test_runner/test_parallel.py
index 5026bc36c535..036551417603 100644
--- a/tests/test_runner/test_parallel.py
+++ b/tests/test_runner/test_parallel.py
@@ -31,6 +31,12 @@ class ExceptionThatFailsUnpickling(Exception):
     def __init__(self, arg):
         super().__init__()
 
+    def __reduce__(self):
+        # tblib 3.2+ makes exception subclasses picklable by default.
+        # Return (cls, ()) so the constructor fails on unpickle, preserving
+        # the needed behavior for test_pickle_errors_detection.
+        return (self.__class__, ())
+
 
 class ParallelTestRunnerTest(SimpleTestCase):
     """
@@ -166,6 +172,8 @@ def test_pickle_errors_detection(self):
         result = RemoteTestResult()
         result._confirm_picklable(picklable_error)
 
+        # The exception can be pickled but not unpickled.
+        pickle.dumps(not_unpicklable_error)
         msg = "__init__() missing 1 required positional argument"
         with self.assertRaisesMessage(TypeError, msg):
             result._confirm_picklable(not_unpicklable_error)

From 71267c97db211f1d7f1b8b794ceb2167a7619a4d Mon Sep 17 00:00:00 2001
From: Annabelle Wiegart <44520920+annalauraw@users.noreply.github.com>
Date: Thu, 23 Oct 2025 16:11:52 +0200
Subject: [PATCH 19/27] [5.2.x] Fixed #35095 -- Clarified Swiss number
 formatting in docs/topics/i18n/formatting.txt.

Co-authored-by: Ahmed Nassar <a.moh.nassar00@gmail.com>

Backport of 74239181252ca73bebb84789856f5d8937d421b4 from main.
---
 AUTHORS                             |  1 +
 django/conf/locale/de_CH/formats.py |  8 +++-----
 django/conf/locale/fr_CH/formats.py |  4 ++++
 docs/topics/i18n/formatting.txt     | 19 ++++++++++---------
 4 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/AUTHORS b/AUTHORS
index 5d8618d8e6cc..16c76fa60819 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -96,6 +96,7 @@ answer newbie questions, and generally made Django that much better:
     Andy Dustman <farcepest@gmail.com>
     Andy Gayton <andy-django@thecablelounge.com>
     andy@jadedplanet.net
+    Annabelle Wiegart
     Anssi Kääriäinen <akaariai@gmail.com>
     ant9000@netwise.it
     Anthony Briggs <anthony.briggs@gmail.com>
diff --git a/django/conf/locale/de_CH/formats.py b/django/conf/locale/de_CH/formats.py
index f42dd48739b0..bf048462bd39 100644
--- a/django/conf/locale/de_CH/formats.py
+++ b/django/conf/locale/de_CH/formats.py
@@ -25,11 +25,9 @@
     "%d.%m.%Y %H:%M",  # '25.10.2006 14:30'
 ]
 
-# these are the separators for non-monetary numbers. For monetary numbers,
-# the DECIMAL_SEPARATOR is a . (decimal point) and the THOUSAND_SEPARATOR is a
-# ' (single quote).
-# For details, please refer to the documentation and the following link:
-# https://www.bk.admin.ch/bk/de/home/dokumentation/sprachen/hilfsmittel-textredaktion/schreibweisungen.html
+# Swiss number formatting can vary based on context (e.g. Fr. 23.50 vs 22,5 m).
+# Django does not support context-specific formatting and uses generic
+# separators.
 DECIMAL_SEPARATOR = ","
 THOUSAND_SEPARATOR = "\xa0"  # non-breaking space
 NUMBER_GROUPING = 3
diff --git a/django/conf/locale/fr_CH/formats.py b/django/conf/locale/fr_CH/formats.py
index 84f065713ee0..0a63166e8033 100644
--- a/django/conf/locale/fr_CH/formats.py
+++ b/django/conf/locale/fr_CH/formats.py
@@ -27,6 +27,10 @@
     "%d/%m/%Y %H:%M:%S.%f",  # '25/10/2006 14:30:59.000200'
     "%d/%m/%Y %H:%M",  # '25/10/2006 14:30'
 ]
+
+# Swiss number formatting can vary based on context (e.g. Fr. 23.50 vs 22,5 m).
+# Django does not support context-specific formatting and uses generic
+# separators.
 DECIMAL_SEPARATOR = ","
 THOUSAND_SEPARATOR = "\xa0"  # non-breaking space
 NUMBER_GROUPING = 3
diff --git a/docs/topics/i18n/formatting.txt b/docs/topics/i18n/formatting.txt
index e1b6213ca23c..de4f961c01ba 100644
--- a/docs/topics/i18n/formatting.txt
+++ b/docs/topics/i18n/formatting.txt
@@ -188,12 +188,13 @@ Limitations of the provided locale formats
 Some locales use context-sensitive formats for numbers, which Django's
 localization system cannot handle automatically.
 
-Switzerland (German)
---------------------
-
-The Swiss number formatting depends on the type of number that is being
-formatted. For monetary values, a comma is used as the thousand separator and
-a decimal point for the decimal separator. For all other numbers, a comma is
-used as decimal separator and a space as thousand separator. The locale format
-provided by Django uses the generic separators, a comma for decimal and a space
-for thousand separators.
+Switzerland (German, French)
+----------------------------
+
+The Swiss number formatting traditionally varies depending on context. For
+example, monetary values may use a dot as decimal separator (``Fr. 23.50``),
+while measurements often use a comma (``22,5 m``). Django’s localization system
+does not support such context-specific variations automatically.
+
+The locale format provided by Django uses the generic separators, a comma for
+decimal and a space for thousand separators.

From 368f955c371cab5db18e9e239d10560cf15f5ea4 Mon Sep 17 00:00:00 2001
From: Kasyap Pentamaraju <vpentamaraju@webmd.net>
Date: Thu, 23 Oct 2025 10:17:55 +0530
Subject: [PATCH 20/27] [5.2.x] Fixed #36681 -- Removed English pluralization
 bias from example in docs/topics/i18n/translation.txt.

Backport of 0ea01101c3a35568bc43e9707ac058b9874bd425 from main.
---
 AUTHORS                          | 1 +
 docs/topics/i18n/translation.txt | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/AUTHORS b/AUTHORS
index 16c76fa60819..05186ba8585d 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -1049,6 +1049,7 @@ answer newbie questions, and generally made Django that much better:
     Unai Zalakain <unai@gisa-elkartea.org>
     Valentina Mukhamedzhanova <umirra@gmail.com>
     valtron
+    Varun Kasyap Pentamaraju <varunkasyap@hotmail.com>
     Vasiliy Stavenko <stavenko@gmail.com>
     Vasil Vangelovski
     Vibhu Agarwal <vibhu-agarwal.github.io>
diff --git a/docs/topics/i18n/translation.txt b/docs/topics/i18n/translation.txt
index faeccbaecf09..0884f75752de 100644
--- a/docs/topics/i18n/translation.txt
+++ b/docs/topics/i18n/translation.txt
@@ -715,7 +715,7 @@ An example:
 .. code-block:: html+django
 
     {% blocktranslate count counter=list|length %}
-    There is only one {{ name }} object.
+    There is {{ counter }} {{ name }} object.
     {% plural %}
     There are {{ counter }} {{ name }} objects.
     {% endblocktranslate %}

From d5dfffaae52b9dcb4857d42b1e2902290a5c5e3c Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 24 Sep 2025 15:29:09 -0400
Subject: [PATCH 21/27] [5.2.x] Added stub release notes and release date for
 5.2.8, 5.1.14, and 4.2.26.

Backport of ab108bf94dfc06c311d7dc81866b848fe5b5ee6c from main.
---
 docs/releases/4.2.26.txt | 10 ++++++++++
 docs/releases/5.1.14.txt | 10 ++++++++++
 docs/releases/5.2.8.txt  |  7 ++++---
 docs/releases/index.txt  |  2 ++
 4 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 docs/releases/4.2.26.txt
 create mode 100644 docs/releases/5.1.14.txt

diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt
new file mode 100644
index 000000000000..e0db257c04d3
--- /dev/null
+++ b/docs/releases/4.2.26.txt
@@ -0,0 +1,10 @@
+===========================
+Django 4.2.26 release notes
+===========================
+
+*November 5, 2025*
+
+Django 4.2.26 fixes one security issue with severity "high" and one security
+issue with severity "moderate" in 4.2.25.
+
+...
diff --git a/docs/releases/5.1.14.txt b/docs/releases/5.1.14.txt
new file mode 100644
index 000000000000..79a7a260e302
--- /dev/null
+++ b/docs/releases/5.1.14.txt
@@ -0,0 +1,10 @@
+===========================
+Django 5.1.14 release notes
+===========================
+
+*November 5, 2025*
+
+Django 5.1.14 fixes one security issue with severity "high" and one security
+issue with severity "moderate" in 5.1.13.
+
+...
diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
index 415101238732..a75db9cbc8ca 100644
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -2,10 +2,11 @@
 Django 5.2.8 release notes
 ==========================
 
-*Expected November 5, 2025*
+*November 5, 2025*
 
-Django 5.2.8 fixes several bugs in 5.2.7 and adds compatibility with Python
-3.14.
+Django 5.2.8 fixes one security issue with severity "high", one security issue
+with severity "moderate", and several bugs in 5.2.7. It also adds compatibility
+with Python 3.14.
 
 Bugfixes
 ========
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index f8d69ac1db6f..0a0976bfbd53 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -40,6 +40,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   5.1.14
    5.1.13
    5.1.12
    5.1.11
@@ -82,6 +83,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   4.2.26
    4.2.25
    4.2.24
    4.2.23

From 6775888470317a6d69121779b489bb2dc7350318 Mon Sep 17 00:00:00 2001
From: Patrick Rauscher <Patrick.Rauscher@deutschebahn.com>
Date: Thu, 30 Oct 2025 10:13:14 +0100
Subject: [PATCH 22/27] [5.2.x] Fixed #36696 -- Fixed NameError when inspecting
 functions with deferred annotations.

In Python 3.14, annotations are deferred by default, so we should not
assume that the names in them have been imported unconditionally.
---
 django/utils/inspect.py           | 16 +++++++++++++++-
 tests/utils_tests/test_inspect.py | 15 +++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/django/utils/inspect.py b/django/utils/inspect.py
index 4e065f0347c1..e1d790cc3c90 100644
--- a/django/utils/inspect.py
+++ b/django/utils/inspect.py
@@ -1,10 +1,24 @@
 import functools
 import inspect
 
+from django.utils.version import PY314
+
+if PY314:
+    import annotationlib
+
 
 @functools.lru_cache(maxsize=512)
 def _get_func_parameters(func, remove_first):
-    parameters = tuple(inspect.signature(func).parameters.values())
+    # As the annotations are not used in any case, inspect the signature with
+    # FORWARDREF to leave any deferred annotations unevaluated.
+    if PY314:
+        signature = inspect.signature(
+            func, annotation_format=annotationlib.Format.FORWARDREF
+        )
+    else:
+        signature = inspect.signature(func)
+
+    parameters = tuple(signature.parameters.values())
     if remove_first:
         parameters = parameters[1:]
     return parameters
diff --git a/tests/utils_tests/test_inspect.py b/tests/utils_tests/test_inspect.py
index b8359c25087c..697b0c4e5d63 100644
--- a/tests/utils_tests/test_inspect.py
+++ b/tests/utils_tests/test_inspect.py
@@ -1,6 +1,11 @@
 import unittest
+from typing import TYPE_CHECKING
 
 from django.utils import inspect
+from django.utils.version import PY314
+
+if TYPE_CHECKING:
+    from django.utils.safestring import SafeString
 
 
 class Person:
@@ -100,3 +105,13 @@ def test_func_accepts_kwargs(self):
         self.assertIs(inspect.func_accepts_kwargs(Person().just_args), False)
         self.assertIs(inspect.func_accepts_kwargs(Person.all_kinds), True)
         self.assertIs(inspect.func_accepts_kwargs(Person().just_args), False)
+
+    @unittest.skipUnless(PY314, "Deferred annotations are Python 3.14+ only")
+    def test_func_accepts_kwargs_deferred_annotations(self):
+
+        def func_with_annotations(self, name: str, complex: SafeString) -> None:
+            pass
+
+        # Inspection fails with deferred annotations with python 3.14+. Earlier
+        # Python versions trigger the NameError on module initialization.
+        self.assertIs(inspect.func_accepts_kwargs(func_with_annotations), False)

From cbdf128cb316bccf9ca3b3b4966e57bd050bfc8a Mon Sep 17 00:00:00 2001
From: Hal Blackburn <hwtb2@cam.ac.uk>
Date: Tue, 4 Nov 2025 05:58:46 +0000
Subject: [PATCH 23/27] [5.2.x] Fixed #36704 -- Fixed system check error for
 proxy model with a composite pk.

Proxy models subclassing a model with a CompositePrimaryKey were
incorrectly reporting check errors because the check that requires only
local fields to be used in a composite pk was evaluated against the proxy
subclass, which has no fields.

To fix this, composite pk field checks are not evaluated against
proxy subclasses, as none of the checks are applicable to proxy
subclasses. This also has the benefit of not double-reporting real check
errors from an invalid superclass pk.

Thanks Clifford Gama for the review.

Backport of 74564946c3b42a2ef7d087047e49873847a7e1d9 from main.
---
 django/db/models/base.py          |  2 +-
 docs/releases/5.2.8.txt           |  3 +++
 tests/composite_pk/test_checks.py | 35 +++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/django/db/models/base.py b/django/db/models/base.py
index d7d207901b90..77353121f5f2 100644
--- a/django/db/models/base.py
+++ b/django/db/models/base.py
@@ -1782,7 +1782,7 @@ def _check_composite_pk(cls):
         meta = cls._meta
         pk = meta.pk
 
-        if not isinstance(pk, CompositePrimaryKey):
+        if meta.proxy or not isinstance(pk, CompositePrimaryKey):
             return errors
 
         seen_columns = defaultdict(list)
diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
index a75db9cbc8ca..62cb32f55c29 100644
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -16,3 +16,6 @@ Bugfixes
 * Fixed a bug in Django 5.2 where ``QuerySet.first()`` and ``QuerySet.last()``
   raised an error on querysets performing aggregation that selected all fields
   of a composite primary key.
+
+* Fixed a bug in Django 5.2 where proxy models having a ``CompositePrimaryKey``
+  incorrectly raised a ``models.E042`` system check error.
diff --git a/tests/composite_pk/test_checks.py b/tests/composite_pk/test_checks.py
index c33f2ee2eb69..21796aa87111 100644
--- a/tests/composite_pk/test_checks.py
+++ b/tests/composite_pk/test_checks.py
@@ -268,3 +268,38 @@ class Bar(Foo):
                 ),
             ],
         )
+
+    def test_proxy_model_can_subclass_model_with_composite_pk(self):
+        class Foo(models.Model):
+            pk = models.CompositePrimaryKey("a", "b")
+            a = models.SmallIntegerField()
+            b = models.SmallIntegerField()
+
+        class Bar(Foo):
+            class Meta:
+                proxy = True
+
+        self.assertEqual(Foo.check(databases=self.databases), [])
+        self.assertEqual(Bar.check(databases=self.databases), [])
+
+    def test_proxy_model_does_not_check_superclass_composite_pk_errors(self):
+        class Foo(models.Model):
+            pk = models.CompositePrimaryKey("a", "b")
+            a = models.SmallIntegerField()
+
+        class Bar(Foo):
+            class Meta:
+                proxy = True
+
+        self.assertEqual(
+            Foo.check(databases=self.databases),
+            [
+                checks.Error(
+                    "'b' cannot be included in the composite primary key.",
+                    hint="'b' is not a valid field.",
+                    obj=Foo,
+                    id="models.E042",
+                ),
+            ],
+        )
+        self.assertEqual(Bar.check(databases=self.databases), [])

From 4f5d904b63751dea9ffc3b0e046404a7fa5881ac Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Thu, 16 Oct 2025 16:28:33 -0400
Subject: [PATCH 24/27] [5.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS
 in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.

Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.

Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821.

Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
---
 django/http/response.py     |  9 +++++++--
 docs/releases/4.2.26.txt    | 10 +++++++++-
 docs/releases/5.1.14.txt    | 10 +++++++++-
 docs/releases/5.2.8.txt     | 10 ++++++++++
 tests/httpwrappers/tests.py |  2 ++
 5 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/django/http/response.py b/django/http/response.py
index 4a0ea6701375..9f4bd6af9075 100644
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -22,7 +22,7 @@
 from django.utils.datastructures import CaseInsensitiveMapping
 from django.utils.encoding import iri_to_uri
 from django.utils.functional import cached_property
-from django.utils.http import content_disposition_header, http_date
+from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date
 from django.utils.regex_helper import _lazy_re_compile
 
 _charset_from_content_type_re = _lazy_re_compile(
@@ -630,7 +630,12 @@ class HttpResponseRedirectBase(HttpResponse):
     def __init__(self, redirect_to, preserve_request=False, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self["Location"] = iri_to_uri(redirect_to)
-        parsed = urlsplit(str(redirect_to))
+        redirect_to_str = str(redirect_to)
+        if len(redirect_to_str) > MAX_URL_LENGTH:
+            raise DisallowedRedirect(
+                f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters"
+            )
+        parsed = urlsplit(redirect_to_str)
         if preserve_request:
             self.status_code = self.status_code_preserve_request
         if parsed.scheme and parsed.scheme not in self.allowed_schemes:
diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt
index e0db257c04d3..ae274c3361c0 100644
--- a/docs/releases/4.2.26.txt
+++ b/docs/releases/4.2.26.txt
@@ -7,4 +7,12 @@ Django 4.2.26 release notes
 Django 4.2.26 fixes one security issue with severity "high" and one security
 issue with severity "moderate" in 4.2.25.
 
-...
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
diff --git a/docs/releases/5.1.14.txt b/docs/releases/5.1.14.txt
index 79a7a260e302..8dba96e48726 100644
--- a/docs/releases/5.1.14.txt
+++ b/docs/releases/5.1.14.txt
@@ -7,4 +7,12 @@ Django 5.1.14 release notes
 Django 5.1.14 fixes one security issue with severity "high" and one security
 issue with severity "moderate" in 5.1.13.
 
-...
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
index 62cb32f55c29..947fce8d84de 100644
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -8,6 +8,16 @@ Django 5.2.8 fixes one security issue with severity "high", one security issue
 with severity "moderate", and several bugs in 5.2.7. It also adds compatibility
 with Python 3.14.
 
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
+
 Bugfixes
 ========
 
diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py
index f85d33e82338..f62a9d9bba39 100644
--- a/tests/httpwrappers/tests.py
+++ b/tests/httpwrappers/tests.py
@@ -24,6 +24,7 @@
 )
 from django.test import SimpleTestCase
 from django.utils.functional import lazystr
+from django.utils.http import MAX_URL_LENGTH
 
 
 class QueryDictTests(SimpleTestCase):
@@ -490,6 +491,7 @@ def test_unsafe_redirect(self):
             'data:text/html,<script>window.alert("xss")</script>',
             "mailto:test@example.com",
             "file:///etc/passwd",
+            "é" * (MAX_URL_LENGTH + 1),
         ]
         for url in bad_urls:
             with self.assertRaises(DisallowedRedirect):

From 6703f364d767e949c5b0e4016433ef75063b4f9b Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 24 Sep 2025 15:54:51 -0400
Subject: [PATCH 25/27] [5.2.x] Fixed CVE-2025-64459 -- Prevented SQL
 injections in Q/QuerySet via the _connector kwarg.

Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.

Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
---
 django/db/models/query_utils.py | 4 ++++
 docs/releases/4.2.26.txt        | 7 +++++++
 docs/releases/5.1.14.txt        | 7 +++++++
 docs/releases/5.2.8.txt         | 7 +++++++
 tests/queries/test_q.py         | 5 +++++
 5 files changed, 30 insertions(+)

diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
index d219c5fb0e1b..9d237cdc7760 100644
--- a/django/db/models/query_utils.py
+++ b/django/db/models/query_utils.py
@@ -48,8 +48,12 @@ class Q(tree.Node):
     XOR = "XOR"
     default = AND
     conditional = True
+    connectors = (None, AND, OR, XOR)
 
     def __init__(self, *args, _connector=None, _negated=False, **kwargs):
+        if _connector not in self.connectors:
+            connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
+            raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
         super().__init__(
             children=[*args, *sorted(kwargs.items())],
             connector=_connector,
diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt
index ae274c3361c0..20cf48f05c11 100644
--- a/docs/releases/4.2.26.txt
+++ b/docs/releases/4.2.26.txt
@@ -16,3 +16,10 @@ Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
 :func:`redirect() <django.shortcuts.redirect>` were subject to a potential
 denial-of-service attack via certain inputs with a very large number of Unicode
 characters (follow up to :cve:`2025-27556`).
+
+CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
+===========================================================================
+
+:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
+and :class:`~.Q` were subject to SQL injection using a suitably crafted
+dictionary, with dictionary expansion, as the ``_connector`` argument.
diff --git a/docs/releases/5.1.14.txt b/docs/releases/5.1.14.txt
index 8dba96e48726..d762dbf3cd27 100644
--- a/docs/releases/5.1.14.txt
+++ b/docs/releases/5.1.14.txt
@@ -16,3 +16,10 @@ Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
 :func:`redirect() <django.shortcuts.redirect>` were subject to a potential
 denial-of-service attack via certain inputs with a very large number of Unicode
 characters (follow up to :cve:`2025-27556`).
+
+CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
+===========================================================================
+
+:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
+and :class:`~.Q` were subject to SQL injection using a suitably crafted
+dictionary, with dictionary expansion, as the ``_connector`` argument.
diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
index 947fce8d84de..0a0038ba2096 100644
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -18,6 +18,13 @@ Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
 denial-of-service attack via certain inputs with a very large number of Unicode
 characters (follow up to :cve:`2025-27556`).
 
+CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
+===========================================================================
+
+:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
+and :class:`~.Q` were subject to SQL injection using a suitably crafted
+dictionary, with dictionary expansion, as the ``_connector`` argument.
+
 Bugfixes
 ========
 
diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
index 1a62aca06114..52200b2ecff1 100644
--- a/tests/queries/test_q.py
+++ b/tests/queries/test_q.py
@@ -272,6 +272,11 @@ def test_create_helper(self):
                     Q(*items, _connector=connector),
                 )
 
+    def test_connector_validation(self):
+        msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None."
+        with self.assertRaisesMessage(ValueError, msg):
+            Q(_connector="evil")
+
     def test_referenced_base_fields(self):
         # Make sure Q.referenced_base_fields retrieves all base fields from
         # both filters and F expressions.

From ac9fcf6eb2c909f4150c5287808f49170ce1f9e2 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 24 Sep 2025 15:56:03 -0400
Subject: [PATCH 26/27] [5.2.x] Refs CVE-2025-64459 -- Avoided propagating
 invalid arguments to Q on dictionary expansion.

Backport of 3c3f46357718166069948625354b8315a8505262 from main.
---
 django/db/models/query.py | 5 +++++
 tests/queries/tests.py    | 8 ++++++++
 2 files changed, 13 insertions(+)

diff --git a/django/db/models/query.py b/django/db/models/query.py
index 535d91d7677d..8ed028d1401f 100644
--- a/django/db/models/query.py
+++ b/django/db/models/query.py
@@ -42,6 +42,8 @@
 # The maximum number of items to display in a QuerySet.__repr__
 REPR_OUTPUT_SIZE = 20
 
+PROHIBITED_FILTER_KWARGS = frozenset(["_connector", "_negated"])
+
 
 class BaseIterable:
     def __init__(
@@ -1512,6 +1514,9 @@ def _filter_or_exclude(self, negate, args, kwargs):
         return clone
 
     def _filter_or_exclude_inplace(self, negate, args, kwargs):
+        if invalid_kwargs := PROHIBITED_FILTER_KWARGS.intersection(kwargs):
+            invalid_kwargs_str = ", ".join(f"'{k}'" for k in sorted(invalid_kwargs))
+            raise TypeError(f"The following kwargs are invalid: {invalid_kwargs_str}")
         if negate:
             self._query.add_q(~Q(*args, **kwargs))
         else:
diff --git a/tests/queries/tests.py b/tests/queries/tests.py
index ffaabf48a0ab..c1589669b073 100644
--- a/tests/queries/tests.py
+++ b/tests/queries/tests.py
@@ -4506,6 +4506,14 @@ def test_invalid_values(self):
             Annotation.objects.filter(tag__in=[123, "abc"])
 
 
+class TestInvalidFilterArguments(TestCase):
+    def test_filter_rejects_invalid_arguments(self):
+        school = School.objects.create()
+        msg = "The following kwargs are invalid: '_connector', '_negated'"
+        with self.assertRaisesMessage(TypeError, msg):
+            School.objects.filter(pk=school.pk, _negated=True, _connector="evil")
+
+
 class TestTicket24605(TestCase):
     def test_ticket_24605(self):
         """

From 47fe39af56ecd0ad73b9c7562511015e96b91b80 Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Wed, 5 Nov 2025 09:35:08 -0300
Subject: [PATCH 27/27] [5.2.x] Bumped version for 5.2.8 release.

---
 django/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/django/__init__.py b/django/__init__.py
index caa03e41eae9..3d29f0e2604d 100644
--- a/django/__init__.py
+++ b/django/__init__.py
@@ -1,6 +1,6 @@
 from django.utils.version import get_version
 
-VERSION = (5, 2, 8, "alpha", 0)
+VERSION = (5, 2, 8, "final", 0)
 
 __version__ = get_version(VERSION)