BIT-DJANGO-2025-59681

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the kwarg...

EUVD-2022-0087

Malicious code in bioql PyPI...

SUSE SLES15 / openSUSE 15 Security Update : python-Django (SUSE-SU-2025:03446-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03446-1 advisory. - CVE-2025-59681: SQL injection via the QuerySet annotate, alias, aggregate, or extra methods when processing a specially crafte...

Django 4.x < 4.2.25, 5.0.x < 5.1.13, 5.2.x < 5.2.7 Multiple Vulnerabilities - Windows

Django is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:djangoproject:django"; if descriptio...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection in the QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra methods when a specially crafted dictionary is passed using dictionary expansion as kwargs, leading to unsafe column aliases on MySQL and...

Django vulnerable to SQL injection in column aliases

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the kwarg...

CVE-2025-59681

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the kwarg...

USN-7794-1: Django vulnerabilities

It was discovered that Django incorrectly handled special characters in the QuerySet function calls. A remote attacker could possibly use this issue to perform SQL injection attacks. CVE-2025-59681 It was discovered that Django incorrectly handled files with the same path prefix when starting wit...

USN-7794-1 python-django vulnerabilities

It was discovered that Django incorrectly handled special characters in the QuerySet function calls. A remote attacker could possibly use this issue to perform SQL injection attacks. CVE-2025-59681 It was discovered that Django incorrectly handled files with the same path prefix when starting wit...

CVE-2025-59681

CVE-2025-59681 affects Django: SQL injection in column aliases when using crafted dictionaries via **kwargs passed to QuerySet.annotate(), alias(), aggregate(), or extra() on MySQL/MariaDB. Initial description specifies vulnerable versions: Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 bef...

CVE-2025-59681

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the kwarg...

Django -- multiple vulnerabilities

Django reports: CVE-2025-59681: Potential SQL injection in QuerySet.annotate, alias, aggregate, and extra on MySQL and MariaDB. CVE-2025-59682: Potential partial directory-traversal via archive.extract...

django: Django SQL injection in FilteredRelation column aliases

An SQL injection flaw has been discovered in the Django web framework. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed QuerySet.annotate or QuerySet.alias...

OESA-2025-2234 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted...

CVE-2025-57833

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed QuerySet.annotate or QuerySet.alias...

CVE-2025-57833

CVE-2025-57833 affects Django 4.2 (pre-4.2.24), 5.1 (pre-5.1.12), and 5.2 (pre-5.2.6). The vulnerability arises in FilteredRelation where SQL injection can occur via column aliases when a crafted dictionary is expanded through **kwargs passed to QuerySet.annotate() or QuerySet.alias(). The issue ...

UBUNTU-CVE-2025-57833

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed QuerySet.annotate or QuerySet.alias...

python-django: Potential SQL injection in QuerySet.values() and values_list()

A flaw was found in Django. The QuerySet.values and QuerySet.valueslist methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed arg...

python-django: Potential SQL injection in QuerySet.values() and values_list()

A flaw was found in Django. The QuerySet.values and QuerySet.valueslist methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed arg...

SQL Injection

Django is vulnerable to SQL injection. The vulnerability is due to the QuerySet.values and valueslist functions on models with a JSONField, allowing attackers to manipulate SQL queries in column aliases via a crafted JSON object key passed as an argument...