CVE-2026-1207
published 2026-02-03CVE-2026-1207: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows…
PriorityP277medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.44%
94.8th percentile
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u2 (bookworm) | python-django 3:3.2.25-0+deb12u2 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.28 | 4.2.28 |
| djangoproject | django | >= 4.2a1 < 4.2.28 | 4.2.28 |
| djangoproject | django | >= 5.2 < 5.2.11 | 5.2.11 |
| djangoproject | django | >= 5.2a1 < 5.2.11 | 5.2.11 |
| djangoproject | django | >= 6.0 < 6.0.2 | 6.0.2 |
| djangoproject | django | >= 6.0a1 < 6.0.2 | 6.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--
url{{BaseURL}}/api/raster/search/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django SQL Injection via raster lookups on PostGIS (CVE-2026-1207)"; flow:established,to_server; http.uri; content:"|2f 3f|"; content:"band|3d|"; fast_pattern; distance:0; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; reference:url,cloud.projectdiscovery.io/?template=CVE-2026-1207; reference:cve,2026-1207; classtype:web-application-attack; sid:2067723; rev:1; metadata:affected_product Django, attack_target Server, tls_state TLSDecrypt, created_at 2026_02_16, cve CVE_2026_1207, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_02_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →HTTP 500 response combined with PostgreSQL error message 'invalid input syntax for type integer' in the response body indicates successful SQL injection probe via the band index parameter.
- →Monitor HTTP requests where the 'band' query parameter contains SQL injection characters or sequences (single/double quotes, semicolons, dashes, backslashes, asterisks, slashes, or URL-encoded equivalents) — matched by the Snort PCRE pattern.
- →Exploitation targets endpoints with a 'band=' query parameter, specifically paths such as '/' and '/api/raster/search/' on Django+PostGIS deployments.
- →The exploit payload uses a type-casting error-based SQLi technique: injecting ') AND 1=CAST((SELECT version()) AS INT)--' into the band index parameter to trigger a PostgreSQL error leaking the DB version.
- →Shodan/FOFA fingerprinting queries used by attackers to identify targets: shodan 'django', FOFA 'app="Django"'.
- ·Vulnerability only affects Django deployments using PostGIS with RasterField lookups; standard Django deployments without PostGIS/RasterField are not impacted. ↗
- ·Earlier unsupported Django series (5.0.x, 4.1.x, 3.2.x) were not formally evaluated but may also be affected. ↗
- ·Red Hat products (Ansible Automation Platform, Satellite, OpenStack, etc.) are only affected if configured to use Django with PostGIS RasterField lookups. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
osv5.4MEDIUM
vulncheck5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
vendor_ubuntu5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Django up to 4.2.27/5.2.10/6.0.1 band index sql injection (Nessus ID 297749 / WID-SEC-2026-0297)
vuldb·2026-07-01·CVSS 5.4
CVE-2026-1207 [MEDIUM] Django up to 4.2.27/5.2.10/6.0.1 band index sql injection (Nessus ID 297749 / WID-SEC-2026-0297)
A vulnerability was found in Django up to 4.2.27/5.2.10/6.0.1. It has been classified as critical. This issue affects some unknown processing. The manipulation of the argument band index leads to sql injection.
This vulnerability is referenced as CVE-2026-1207. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
OSV
python-django vulnerabilities
osv·2026-02-03·CVSS 5.3
CVE-2025-13473 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django exposed timing information when checking
passwords. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-13473)
Jiyong Yang discovered that Django incorrectly handled malformed requests
with duplicate headers. An attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)
Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An
attacker could possibly use this issue to perform SQL injection attacks.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1207)
Seokchan Yoon discovered that Django incorrect
OSV
Django has an SQL Injection issue
osv·2026-02-03
CVE-2026-1207 [HIGH] Django has an SQL Injection issue
Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
GHSA
Django has an SQL Injection issue
ghsa·2026-02-03
CVE-2026-1207 [HIGH] CWE-89 Django has an SQL Injection issue
Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
OSV
CVE-2026-1207: An issue was discovered in 6
osv·2026-02-03·CVSS 5.4
CVE-2026-1207 [MEDIUM] CVE-2026-1207: An issue was discovered in 6
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
VulnCheck
djangoproject django Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2026·CVSS 5.4
CVE-2026-1207 [MEDIUM] djangoproject django Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
djangoproject django Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Affected: djangoproject django
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2026-1207; https://www.crowdsec.net/vul
Red Hat
Django: Django: SQL Injection via RasterField band index parameter
vendor_redhat·2026-02-03·CVSS 5.4
CVE-2026-1207 [MEDIUM] CWE-89 Django: Django: SQL Injection via RasterField band index parameter
Django: Django: SQL Injection via RasterField band index parameter
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
A flaw was found in Django. A remote attacker could inject SQL commands by manipulating the band index parameter during raster lookups on `RasterField` (only implemented on PostGIS). This SQL injection vulnerability could lead to unauthorized information disclosure, data alteration, or denial of service.
Statement: This IMPORTA
Ubuntu
Django vulnerabilities
vendor_ubuntu·2026-02-03·CVSS 5.3
CVE-2026-1312 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django exposed timing information when checking
passwords. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-13473)
Jiyong Yang discovered that Django incorrectly handled malformed requests
with duplicate headers. An attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)
Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An
attacker could possibly use this issue to perform SQL injection attacks.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-20
Debian
CVE-2026-1207: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
vendor_debian·2026·CVSS 5.4
CVE-2026-1207 [MEDIUM] CVE-2026-1207: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u2)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u12)
forky: resolved (fixed in 3:4.2.28-1)
sid: resolved (fixed in 3:4.2.28-1)
trixie: resolved (fixed in 3:4.2.28-0+deb13u1)
Suricata
ET WEB_SPECIFIC_APPS Django SQL Injection via raster lookups on PostGIS (CVE-2026-1207)
suricata·2026-02-16·CVSS 5.4
CVE-2026-1207 [MEDIUM] ET WEB_SPECIFIC_APPS Django SQL Injection via raster lookups on PostGIS (CVE-2026-1207)
ET WEB_SPECIFIC_APPS Django SQL Injection via raster lookups on PostGIS (CVE-2026-1207)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django SQL Injection via raster lookups on PostGIS (CVE-2026-1207)"; flow:established,to_server; http.uri; content:"|2f 3f|"; content:"band|3d|"; fast_pattern; distance:0; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; reference:url,cloud.projectdiscovery.io/?template=CVE-2026-1207; reference:cve,2026-1207; classtype:web-application-attack; sid:2067723; rev:1; metadata:affected_product Django, attack_target Server, tls_state TLSDecrypt, created_at 2026_02_16, cve CVE_2026_1207, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_02_16,
Nuclei
Django RasterField - SQL Injection
nuclei·CVSS 5.4
CVE-2026-1207 [MEDIUM] Django RasterField - SQL Injection
Django RasterField - SQL Injection
Django < 6.0.2, < 5.2.11, and < 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input.
Template:
id: CVE-2026-1207
info:
name: Django RasterField - SQL Injection
author: omarkurt
severity: high
description: |
Django < 6.0.2, < 5.2.11, and < 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input.
impact: |
Remote attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
remediation: |
Upgrade to versions 6.0.2, 5.2.11, 4.2.28 or later.
reference:
-
Wiz
CVE-2026-1207 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-1207 [MEDIUM] CVE-2026-1207 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1207 :
Django vulnerability analysis and mitigation
RasterField
Source : NVD
## 5.4
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Django
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 88.2
Exploitation Probability (EPSS) 3.8
Affected packages and libraries
py3-django
python3-django-bash-completion
Sources
NVD
Alpine 3.23 Severity MEDIUM Has Fix Added at: Feb 10, 2026
Alpine edge Severity MEDIUM Has Fix Added at: Feb 08, 2026
Chainguard Has Fix Added at: Feb 08, 2026
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Feb 04, 2026
Echo Severity MEDIUM Has Fix Added at: Feb 04, 2026
pip Severity HIGH Has Fix
Bugzilla
CVE-2026-1207 python-django3: Django: SQL Injection via RasterField band index parameter [epel-8]
bugzilla·2026-02-04·CVSS 5.4
CVE-2026-1207 [MEDIUM] CVE-2026-1207 python-django3: Django: SQL Injection via RasterField band index parameter [epel-8]
CVE-2026-1207 python-django3: Django: SQL Injection via RasterField band index parameter [epel-8]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Package `python-django3` is retired on the `epel8` dist-git branch (the `dead.package` marker is present); closing as CANTFIX since there's no live package to update.
https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/g/django-announcehttps://www.djangoproject.com/weblog/2026/feb/03/security-releases/https://access.redhat.com/errata/RHSA-2026:14835https://access.redhat.com/errata/RHSA-2026:2694https://access.redhat.com/errata/RHSA-2026:3958https://access.redhat.com/errata/RHSA-2026:3959https://access.redhat.com/errata/RHSA-2026:3960https://access.redhat.com/errata/RHSA-2026:3962https://access.redhat.com/errata/RHSA-2026:5970https://access.redhat.com/errata/RHSA-2026:5971https://access.redhat.com/errata/RHSA-2026:6291https://access.redhat.com/security/cve/CVE-2026-1207https://bugzilla.redhat.com/show_bug.cgi?id=2436338https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1207.json
2026-02-03
Published
Exploited in the wild