CVE-2026-1312

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.1 Django versions 5.2 through 5.2.10 Django versions 4.2 through 4.2.27 Django versions 5.0.x and earlier Django versions 4.1.x and earlier Django versions 3.2.x and earlier

Description The .QuerySet.order by() function is susceptible to SQL injection when column aliases contain periods, particularly when a crafted dictionary is used with dictionary expansion within a FilteredRelation. This can occur when the same alias is utilized. Earlier, unsupported Django series, including versions 5.0.x, 4.1.x, and 3.2.x, may also be affected.

Recommendations Update to Django version 6.0.2 or later. Update to Django version 5.2.11 or later. Update to Django version 4.2.28 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BIT-DJANGO-2026-1312

CVE-2026-1312

GHSA-6426-9FV3-65X8

MGASA-2026-0032

OESA-2026-1307

OESA-2026-1308

OESA-2026-1309

OESA-2026-1343

OESA-2026-1344

OESA-2026-1507

OPENSUSE-SU-2026:10145-1

OPENSUSE-SU-2026:10160-1

OPENSUSE-SU-2026:10247-1

OPENSUSE-SU-2026:20184-1

PYSEC-2026-47

RHSA-2026:14835

RHSA-2026:3958

RHSA-2026:3959

RHSA-2026:5970

RHSA-2026:5971

SUSE-SU-2026:0440-1

USN-8009-1

Affected Products

Django

Linuxmint

Red Os

Ubuntu

CVE-2026-1312

Weakness Enumeration

Related Identifiers

Affected Products

References · 65