cbcvebase.
CVE-2026-1207
published 2026-02-03

CVE-2026-1207: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows…

PriorityP277medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.44%
94.8th percentile
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 3:3.2.25-0+deb12u2 (bookworm)python-django 3:3.2.25-0+deb12u2 (bookworm)
djangoprojectdjango>= 4.2 < 4.2.284.2.28
djangoprojectdjango>= 4.2a1 < 4.2.284.2.28
djangoprojectdjango>= 5.2 < 5.2.115.2.11
djangoprojectdjango>= 5.2a1 < 5.2.115.2.11
djangoprojectdjango>= 6.0 < 6.0.26.0.2
djangoprojectdjango>= 6.0a1 < 6.0.26.0.2

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--
url{{BaseURL}}/api/raster/search/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django SQL Injection via raster lookups on PostGIS (CVE-2026-1207)"; flow:established,to_server; http.uri; content:"|2f 3f|"; content:"band|3d|"; fast_pattern; distance:0; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; reference:url,cloud.projectdiscovery.io/?template=CVE-2026-1207; reference:cve,2026-1207; classtype:web-application-attack; sid:2067723; rev:1; metadata:affected_product Django, attack_target Server, tls_state TLSDecrypt, created_at 2026_02_16, cve CVE_2026_1207, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_02_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • HTTP 500 response combined with PostgreSQL error message 'invalid input syntax for type integer' in the response body indicates successful SQL injection probe via the band index parameter.
  • Monitor HTTP requests where the 'band' query parameter contains SQL injection characters or sequences (single/double quotes, semicolons, dashes, backslashes, asterisks, slashes, or URL-encoded equivalents) — matched by the Snort PCRE pattern.
  • Exploitation targets endpoints with a 'band=' query parameter, specifically paths such as '/' and '/api/raster/search/' on Django+PostGIS deployments.
  • The exploit payload uses a type-casting error-based SQLi technique: injecting ') AND 1=CAST((SELECT version()) AS INT)--' into the band index parameter to trigger a PostgreSQL error leaking the DB version.
  • Shodan/FOFA fingerprinting queries used by attackers to identify targets: shodan 'django', FOFA 'app="Django"'.
  • ·Vulnerability only affects Django deployments using PostGIS with RasterField lookups; standard Django deployments without PostGIS/RasterField are not impacted.
  • ·Earlier unsupported Django series (5.0.x, 4.1.x, 3.2.x) were not formally evaluated but may also be affected.
  • ·Red Hat products (Ansible Automation Platform, Satellite, OpenStack, etc.) are only affected if configured to use Django with PostGIS RasterField lookups.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
osv5.4MEDIUM
vulncheck5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
vendor_ubuntu5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.