SQL Injection in Djangoproject Django
CVE-2026-1287
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion…
Vulnerability class: SQL Injection
EPSS: 0.000 (1.6th percentile) — read the EPSS interpretation.
Affected products
- Djangoproject Django — versions 6.0, 6.0.2, 5.2
Weakness classification (CWE)
References
- Django security archive (vendor-advisory)
- Django releases announcements (mailing-list)
- Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 (vendor-advisory)