177 matches found
Linux Distros Unpatched Vulnerability : CVE-2026-1312
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. .QuerySet.orderby is subject to SQL injection in column aliases containin...
OESA-2026-1206 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods QuerySet.filter, QuerySet.exclude, and QuerySet.get, and the class Q, are subject to...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-000157)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000157 advisory. An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate, aggregate, and extra methods are subject to SQL...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-000158)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000158 advisory. A SQL injection issue was discovered in QuerySet.explain in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted...
Django QuerySet.order_by - SQL Injection
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 contain a SQL injection caused by untrusted input in QuerySet.orderby, letting attackers execute arbitrary SQL commands, exploit requires attacker to control orderby input. id: CVE-2021-35042 info: name: Django QuerySet.orderby - SQL Injection...
openSUSE 16 Security Update : python-Django (openSUSE-SU-2025-20153-1)
The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2025-20153-1 advisory. - CVE-2025-64459: Fixed a potential SQL injection via connector keyword argument in QuerySet and Q objects bsc1252926 -...
Exploit for SQL Injection in Djangoproject Django
CVE-2025-64459-Exploit-PoC CVE-2025-64459: Critical RCE in Dja...
django: Django SQL injection
A potential SQL injection vulnerability has been discovered in the Django web framework. The methods QuerySet.filter, QuerySet.exclude, and QuerySet.get, and the class Q were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the connector argument...
OPENSUSE-SU-2025:20153-1 Security update for python-Django
This update for python-Django fixes the following issues: - CVE-2025-64459: Fixed a potential SQL injection via connector keyword argument in QuerySet and Q objects bsc1252926 - CVE-2025-13372,CVE-2025-64460: Fixed Denial of Service in 'django.core.serializers.xmlserializer.getInnerText' bsc12544...
📄 Django 5.1.13 SQL Injection
Django version 5.1.13 suffers from a remote SQL injection vulnerability. Exploit Title: Django 5.1.13 - SQL Injection Google Dork: none Not applicable for this vulnerability Date: 2025-12-03 Exploit Author: Wafcontrol Security Team Vendor Homepage: https://www.djangoproject.com/ Software Link:...
PYSEC-2025-104
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed to QuerySet.annotate or QuerySet.alias on PostgreSQL.Earlier,...
ROS-20251125-12
Vulnerability of QuerySet and Q objects of Django web application development platform is related to failure to take measures to protect the SQL query structure when processing an argument with the connector keyword. Exploitation of the vulnerability could allow an attacker acting remotely to...
SQL Injection
Django is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of column aliases in methods like QuerySet.annotate, alias, aggregate, and extra, which allows an attacker to exploit crafted dictionary inputs passed via kwargs to inject malicious SQL—particularly on MySQL...
Exploit for SQL Injection in Djangoproject Django
Django-CVE-2025-64459-Testbed A self-contained testbed for Dj...
OESA-2025-2680 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence,...
OESA-2025-2679 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence,...
OESA-2025-2678 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence,...
OESA-2025-2676 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence,...
BIT-DJANGO-2025-64459 Potential SQL injection via _connector keyword argument in QuerySet and Q objects
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods QuerySet.filter, QuerySet.exclude, and QuerySet.get, and the class Q, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the connector argument...
CVE-2025-64459
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods QuerySet.filter, QuerySet.exclude, and QuerySet.get, and the class Q, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the connector argument...