cbcvebase.
CVE-2025-13372
published 2025-12-02

CVE-2025-13372: An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using…

PriorityP428medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EPSS
0.90%
55.3th percentile
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 3:3.2.25-0+deb12u1 (bookworm)python-django 3:3.2.25-0+deb12u1 (bookworm)
djangoprojectdjango>= 4.2 < 4.2.274.2.27
djangoprojectdjango>= 4.2a1 < 4.2.274.2.27
djangoprojectdjango>= 5.1 < 5.1.155.1.15
djangoprojectdjango>= 5.1a1 < 5.1.155.1.15
djangoprojectdjango>= 5.2 < 5.2.95.2.9
djangoprojectdjango>= 5.2a1 < 5.2.95.2.9

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.