CVE-2026-1287

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. FilteredRelation is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed to QuerySet methods annotate, aggregat...

SUSE-SU-2025:03446-1 Security update for python-Django

This update for python-Django fixes the following issues: - CVE-2025-59681: SQL injection via the QuerySet annotate, alias, aggregate, or extra methods when processing a specially crafted dictionary with dictionary expansion bsc1250485. - CVE-2025-59682: directory traversal via the...

PT-2025-40290

Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.25 Django versions 5.1 through 5.1.13 Django versions 5.2 through 5.2.7 Description A SQL injection issue exists in Django’s QuerySet methods—specifically annotate, alias, aggregate, and extra—when using a craft...