UNKNOWN PyPI
Django has an SQL Injection issue
GHSA-gvg8-93h5-g6qq · BIT-django-2026-1287 · CVE-2026-1287 · PYSEC-2026-46
Published · Modified
Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
FilteredRelation is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list(), and alias(). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-1287
- WEB https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22
- WEB https://docs.djangoproject.com/en/dev/releases/security
- PACKAGE https://github.com/django/django
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2026-46.yaml
- WEB https://groups.google.com/g/django-announce
- WEB https://www.djangoproject.com/weblog/2026/feb/03/security-releases
Ready to move
Start Securing
Free, no credit card | First findings in minutes