CVE-2026-1287

CVSS v4.0

8.1

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.1 Django versions 5.2 through 5.2.10 Django versions 4.2 through 4.2.27 Django versions 5.0.x and earlier Django versions 4.1.x and earlier Django versions 3.2.x and earlier

Description The FilteredRelation component is susceptible to SQL injection in column aliases through the use of control characters. This occurs when a crafted dictionary is used with dictionary expansion as the **kwargs passed to the annotate(), aggregate(), extra(), values(), values list(), and alias() methods of QuerySet.

Recommendations Update to Django version 6.0.2 or later. Update to Django version 5.2.11 or later. Update to Django version 4.2.28 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2026-03469

BIT-DJANGO-2026-1287

CVE-2026-1287

ECHO-F04C-582A-DF62

GHSA-GVG8-93H5-G6QQ

MGASA-2026-0032

OESA-2026-1307

OESA-2026-1308

OESA-2026-1309

OESA-2026-1343

OESA-2026-1344

OESA-2026-1507

OPENSUSE-SU-2026:10145-1

OPENSUSE-SU-2026:10160-1

OPENSUSE-SU-2026:10247-1

OPENSUSE-SU-2026:20184-1

PYSEC-2026-46

RHSA-2026:14835

RHSA-2026:3958

RHSA-2026:3959

RHSA-2026:5970

RHSA-2026:5971

SUSE-SU-2026:0440-1

USN-8009-1

Affected Products

Django

Linuxmint

Red Os

Ubuntu

CVE-2026-1287

Weakness Enumeration

Related Identifiers

Affected Products

References · 66