3 matches found
CVE-2026-1287 Potential SQL injection in column aliases via control characters
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. FilteredRelation is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed to QuerySet methods annotate, aggregat...
SUSE-SU-2025:03446-1 Security update for python-Django
This update for python-Django fixes the following issues: - CVE-2025-59681: SQL injection via the QuerySet annotate, alias, aggregate, or extra methods when processing a specially crafted dictionary with dictionary expansion bsc1250485. - CVE-2025-59682: directory traversal via the...
PT-2025-40290
Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.25 Django versions 5.1 through 5.1.13 Django versions 5.2 through 5.2.7 Description A SQL injection issue exists in Django’s QuerySet methods—specifically annotate, alias, aggregate, and extra—when using a craft...