CVE-2025-13372

CVE-2025-13372 affects Django 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. The issue is a SQL injection in FilteredRelation column aliases when dictionary expansion is passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL. Several connected advisories confirm affected dis...

CVE-2025-13372 Potential SQL injection in FilteredRelation column aliases on PostgreSQL

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed to QuerySet.annotate or QuerySet.alias on PostgreSQL. Earlier...

PT-2025-48697

Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.26 Django versions 5.1 through 5.1.14 Django versions 5.2 through 5.2.8 Django versions 5.0.x and earlier Django versions 4.1.x and earlier Django versions 3.2.x and earlier Description An issue exists in Django...

SQL Injection

Django is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of column aliases in methods like QuerySet.annotate, alias, aggregate, and extra, which allows an attacker to exploit crafted dictionary inputs passed via kwargs to inject malicious SQL—particularly on MySQL...

ROS-20251106-04

Vulnerability of django.utils.archive.extract function of Django web application software platform is related to errors in the relative directory path handling mechanism. Exploitation of the vulnerability could allow a remote attacker to bypass security restrictions. Vulnerability in...

Malicious code in annotate-pure-calls (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d2a9cdca3a9ab53743de2a24b78ebb758510f58ed74ba54d5f727dcfdb17e317 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-48984 Malicious code in annotate-pure-calls (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d2a9cdca3a9ab53743de2a24b78ebb758510f58ed74ba54d5f727dcfdb17e317 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

EUVD-2025-36859

Malicious code in annotate-pure-calls npm...

Malicious Package

Overview annotate-pure-calls is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Exploit for CVE-2025-57833

CVE-2025-57833 Example Vulnerable application for CVE-2025–57...

django: Django SQL injection in FilteredRelation column aliases

An SQL injection flaw has been discovered in the Django web framework. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed QuerySet.annotate or QuerySet.alias...

django: Django SQL injection in FilteredRelation column aliases

An SQL injection flaw has been discovered in the Django web framework. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed QuerySet.annotate or QuerySet.alias...

django: Django SQL injection in FilteredRelation column aliases

An SQL injection flaw has been discovered in the Django web framework. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed QuerySet.annotate or QuerySet.alias...

django: Django SQL injection in FilteredRelation column aliases

An SQL injection flaw has been discovered in the Django web framework. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed QuerySet.annotate or QuerySet.alias...

EUVD-2025-26641

Malicious code in bioql PyPI...

SUSE SLES15 / openSUSE 15 Security Update : python-Django (SUSE-SU-2025:03446-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03446-1 advisory. - CVE-2025-59681: SQL injection via the QuerySet annotate, alias, aggregate, or extra methods when processing a specially crafte...

PYSEC-2025-106

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the kwarg...

CVE-2025-59681

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the kwarg...

CVE-2025-59681

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the kwarg...

OESA-2025-2354 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted...