CVE-2026-1287
published 2026-02-03CVE-2026-1287: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via…
PriorityP338medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.75%
50.4th percentile
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u2 (bookworm) | python-django 3:3.2.25-0+deb12u2 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.28 | 4.2.28 |
| djangoproject | django | >= 4.2a1 < 4.2.28 | 4.2.28 |
| djangoproject | django | >= 5.2 < 5.2.11 | 5.2.11 |
| djangoproject | django | >= 5.2a1 < 5.2.11 | 5.2.11 |
| djangoproject | django | >= 6.0 < 6.0.2 | 6.0.2 |
| djangoproject | django | >= 6.0a1 < 6.0.2 | 6.0.2 |
| fastify | fastify | >= 5.3.2 < 5.8.5 | 5.8.5 |
| github.com | mattermost_mattermost-server | >= 0 < 5.3.2-0.20260129181235-1346cf529aef | 5.3.2-0.20260129181235-1346cf529aef |
| github.com | mattermost_mattermost-server | >= 10.11.0-rc1 < 10.11.11 | 10.11.11 |
| github.com | mattermost_mattermost-server | >= 11.2.0-rc1 < 11.2.3 | 11.2.3 |
| github.com | mattermost_mattermost-server | >= 11.3.0-rc1 < 11.3.1 | 11.3.1 |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20260129181235-1346cf529aef | 8.0.0-20260129181235-1346cf529aef |
| msrc | microsoft_sql_server_2016_for_x64-based_systems_service_pack_3 | — | — |
| msrc | microsoft_sql_server_2016_for_x64-based_systems_service_pack_3_azure_connect_fea | — | — |
| msrc | microsoft_sql_server_2017_for_x64-based_systems | — | — |
| msrc | microsoft_sql_server_2019_for_x64-based_systems | — | — |
| msrc | microsoft_sql_server_2022_for_x64-based_systems | — | — |
| msrc | microsoft_sql_server_2025_for_x64-based_systems | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_23h2 | — | — |
| msrc | windows_11_version_24h2 | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
ghsa7.5HIGH
osv5.4MEDIUM
vendor_msrc8.8HIGH
vendor_redhat8.2HIGH
vendor_cisco7.5HIGH
vendor_debian5.4MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Django up to 4.2.27/5.2.10/6.0.1 annotate/aggregate/extra/values/values_list/alias sql injection (Nessus ID 297742 / WID-SEC-2026-0297)
vuldb·2026-07-01·CVSS 5.4
CVE-2026-1287 [MEDIUM] Django up to 4.2.27/5.2.10/6.0.1 annotate/aggregate/extra/values/values_list/alias sql injection (Nessus ID 297742 / WID-SEC-2026-0297)
A vulnerability was found in Django up to 4.2.27/5.2.10/6.0.1. It has been rated as critical. The affected element is the function annotate/aggregate/extra/values/values_list/alias. This manipulation causes sql injection.
This vulnerability is tracked as CVE-2026-1287. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is advised.
GHSA
Concrete CMS: OAuth 2.0 Authorization-Code Handler Bypasses Account Status
ghsa·2026-05-22
CVE-2026-7887 [LOW] CWE-1287 Concrete CMS: OAuth 2.0 Authorization-Code Handler Bypasses Account Status
Concrete CMS: OAuth 2.0 Authorization-Code Handler Bypasses Account Status
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens.
GHSA
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
ghsa·2026-04-15·CVSS 7.5
CVE-2026-33806 [HIGH] CWE-1287 Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
### Summary
A validation bypass vulnerability exists in Fastify v5.x where request body validation schemas specified via `schema.body.content` can be completely circumvented by prepending a single space character (`\x20`) to the `Content-Type` header. The body is still parsed correctly as JSON (or any other content type), but schema validation is entirely skipped.
This is a regression introduced by commit [`f3d2bcb`](https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4) (fix for [CVE-2025-32442](https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc)).
### Details
The vulnerability is a **parser-validator differential** between two independent code paths
GHSA
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
ghsa·2026-03-18
CVE-2026-2092 [HIGH] CWE-1287 Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
GHSA
Mattermost fails to properly validate User-Agent header tokens
ghsa·2026-03-16
CVE-2026-25783 [MEDIUM] CWE-1287 Mattermost fails to properly validate User-Agent header tokens
Mattermost fails to properly validate User-Agent header tokens
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586
GHSA
Django has an SQL Injection issue
ghsa·2026-02-03
CVE-2026-1287 [HIGH] CWE-89 Django has an SQL Injection issue
Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
OSV
python-django vulnerabilities
osv·2026-02-03·CVSS 5.3
CVE-2025-13473 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django exposed timing information when checking
passwords. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-13473)
Jiyong Yang discovered that Django incorrectly handled malformed requests
with duplicate headers. An attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)
Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An
attacker could possibly use this issue to perform SQL injection attacks.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1207)
Seokchan Yoon discovered that Django incorrect
OSV
CVE-2026-1287: An issue was discovered in 6
osv·2026-02-03·CVSS 5.4
CVE-2026-1287 [MEDIUM] CVE-2026-1287: An issue was discovered in 6
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
OSV
Django has an SQL Injection issue
osv·2026-02-03
CVE-2026-1287 [HIGH] Django has an SQL Injection issue
Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
Red Hat
vllm: vLLM: Denial of Service due to improper floating-point validation
vendor_redhat·2026-06-22·CVSS 6.5
CVE-2026-54235 [MEDIUM] CWE-1287 vllm: vLLM: Denial of Service due to improper floating-point validation
vllm: vLLM: Denial of Service due to improper floating-point validation
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (), which silently evaluate to False for NaN and for positive Infinity in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors that can crash the inference worker. This vulnerability is fixed in 0.23.1rc0.
A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). The temperature validation gates, which use comparison operators, incorrectly handle Not-a-Number (NaN) and positive Infinity values in Python's IEEE 754 float semantics. The
Red Hat
kernel: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
vendor_redhat·2026-06-03·CVSS 7.0
CVE-2026-46266 [MEDIUM] CWE-1287 kernel: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
kernel: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
A flaw was found in the Linux kernel's handling of RAW sockets using IPPROTO_RAW. A remote attacker could send a specially crafted ICMP (Internet Control Message Protocol) packet. This malicious packet could set the protocol field to 255, causing it to be processed by a RAW socket configured for IPPROTO_RAW. This leads to unintended FNHE (Flow N-tuple Hash Entry) cache changes, which could result in unexpected network behavior.
Package: kernel (Red Hat Enterprise Linux 10) - Affected
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Affected
Package: kernel (Red Hat Enterprise Linux 8) - Affecte
Red Hat
kernel: net: usb: catc: enable basic endpoint checking
vendor_redhat·2026-05-27·CVSS 5.5
CVE-2026-45923 [LOW] CWE-1287 kernel: net: usb: catc: enable basic endpoint checking
kernel: net: usb: catc: enable basic endpoint checking
A flaw was found in the Linux kernel's `net: usb: catc` driver. A malformed Universal Serial Bus (USB) device can present endpoint descriptors with transfer types that differ from what the driver expects. This can lead to the driver attempting to use incorrect endpoint types, potentially causing unexpected behavior or resource exhaustion within the kernel. The vulnerability is resolved by adding checks to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time.
Package: kernel (Red Hat Enterprise Linux 10) - Fix deferred
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Fix deferred
Package: kernel-rt (Red Hat Enterprise Linux 7)
Red Hat
kernel: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
vendor_redhat·2026-05-27·CVSS 5.5
CVE-2026-46024 [MEDIUM] CWE-1287 kernel: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
kernel: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
A flaw was found in the Linux kernel's libceph component. A remote attacker could send a specially crafted authentication reply message to trigger a null pointer dereference. This vulnerability can lead to a system crash, resulting in a Denial of Service (DoS) for affected systems.
Package: kernel (Red Hat Enterprise Linux 10) - Fix deferred
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Fix deferred
Package: kernel-rt (Red Hat Enterprise Linux 7) - Fix deferred
Package: kernel (Red Hat Enterprise Linux 8) - Fix deferred
Package: kernel-rt (Red Hat Enterprise Linux 8) - Fix deferred
Package: kernel (Red Hat Enterprise Linux 9) - Fix deferred
Pac
Red Hat
Net::CIDR::Lite: perl: Net::CIDR::Lite: IP ACL bypass due to improper input validation
vendor_redhat·2026-05-10·CVSS 6.5
CVE-2026-45190 [MEDIUM] CWE-1287 Net::CIDR::Lite: perl: Net::CIDR::Lite: IP ACL bypass due to improper input validation
Net::CIDR::Lite: perl: Net::CIDR::Lite: IP ACL bypass due to improper input validation
A flaw was found in Net::CIDR::Lite, a Perl module for handling IP address ranges. This vulnerability allows a remote attacker to bypass IP Access Control Lists (ACLs) due to improper validation of IP address and CIDR (Classless Inter-Domain Routing) mask inputs. Specifically, inputs containing trailing newlines or non-ASCII digit characters are incorrectly processed, leading to a mismatch between the intended and actual IP addresses. This can cause functions like `find()` and `bin_find()` to incorrectly allow or deny access, compromising network security policies.
Mitigation: To mitigate this issue, ensure that all IP address and CIDR mask inputs processed by applications utilizing the `Net::CIDR::Lit
Red Hat
kernel: net: usb: pegasus: enable basic endpoint checking
vendor_redhat·2026-05-06·CVSS 7.0
CVE-2026-43156 [MEDIUM] CWE-1287 kernel: net: usb: pegasus: enable basic endpoint checking
kernel: net: usb: pegasus: enable basic endpoint checking
A flaw was found in the Linux kernel's USB Pegasus driver. This vulnerability allows a local attacker to use a specially crafted USB device to bypass expected endpoint checks. By presenting unexpected transfer types, the malicious device could trigger a system assertion, potentially leading to a denial of service (DoS) condition.
Package: kernel (Red Hat Enterprise Linux 10) - Affected
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Affected
Package: kernel (Red Hat Enterprise Linux 8) - Affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - Affected
Package: kernel (Red Hat Enterprise Linux 9) -
Red Hat
kernel: drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src
vendor_redhat·2026-05-06
CVE-2026-43243 CWE-1287 kernel: drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src
kernel: drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src
A flaw was found in the `drm/amd/display` component of the Linux kernel. A missing signal type check in the `dcn401 get_phyd32clk_src` function, when attempting to access link encoder (`link enc`) on a DisplayPort Interoperability and Compliance Association (DPIA) link, can lead to a system crash. This vulnerability could result in a Denial of Service (DoS).
Package: kernel (Red Hat Enterprise Linux 10) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - No
Red Hat
kernel: minix: Add required sanity checking to minix_check_superblock()
vendor_redhat·2026-05-06·CVSS 7.0
CVE-2026-43209 [MEDIUM] CWE-1287 kernel: minix: Add required sanity checking to minix_check_superblock()
kernel: minix: Add required sanity checking to minix_check_superblock()
A flaw was found in the Linux kernel's minix filesystem implementation. The `minix_check_superblock()` function lacks proper sanity checks for superblock fields, including `s_log_zone_size`. This oversight could allow a local attacker to craft a malicious minix filesystem that, when mounted, may lead to a system crash or corruption, resulting in a Denial of Service (DoS).
Package: kernel (Red Hat Enterprise Linux 10) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Package: kernel-rt (Red Hat Enterp
Red Hat
libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation
vendor_redhat·2026-05-05·CVSS 8.2
CVE-2026-30923 [HIGH] CWE-1287 libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation
libModSecurity3: ModSecurity: ModSecurity: Denial of Service via crafted query string parameter in t:hexDecode transformation
A flaw was found in libModSecurity3, a component of the ModSecurity web application firewall (WAF). An attacker can exploit a segmentation fault by sending a specially crafted query string parameter containing a single character, which is then processed by a rule using the t:hexDecode transformation. This can cause worker processes to crash, leading to a denial of service (DoS) for the affected system.
Package: mod_security (Red Hat Enterprise Linux 7) - Affected
Package: mod_security (Red Hat Enterprise Linux 8) - Affected
Package: mod_security (Red Hat Enterprise Linux 9) - Affected
Red Hat
kernel: HID: multitouch: Check to ensure report responses match the request
vendor_redhat·2026-05-01·CVSS 7.0
CVE-2026-43047 [MEDIUM] CWE-1287 kernel: HID: multitouch: Check to ensure report responses match the request
kernel: HID: multitouch: Check to ensure report responses match the request
A flaw was found in the Linux kernel's Human Interface Device (HID) multitouch subsystem. A malicious or improperly configured HID device can respond to a feature request with an incorrect report ID. This confusion in the HID core can lead to out-of-bounds writes, potentially allowing a local attacker to achieve arbitrary code execution or cause a denial of service.
Package: kernel (Red Hat Enterprise Linux 10) - Affected
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Affected
Package: kernel (Red Hat Enterprise Linux 8) - Affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - Af
Red Hat
wireshark: Wireshark: Denial of service via AFP Spotlight protocol dissector crash
vendor_redhat·2026-04-30·CVSS 5.5
CVE-2026-5401 [MEDIUM] CWE-1287 wireshark: Wireshark: Denial of service via AFP Spotlight protocol dissector crash
wireshark: Wireshark: Denial of service via AFP Spotlight protocol dissector crash
A flaw was found in Wireshark. An attacker could craft a malicious network trace file that, when opened by a user, would trigger a crash in the AFP Spotlight protocol dissector. This vulnerability leads to a denial of service, making the application unavailable.
Mitigation: To mitigate this issue, users should avoid opening untrusted or suspicious network trace files with Wireshark. Exercise caution when handling files from unknown sources to prevent triggering the denial of service.
Package: wireshark (Red Hat Enterprise Linux 10) - Fix deferred
Package: wireshark (Red Hat Enterprise Linux 6) - Fix deferred
Package: wireshark (Red Hat Enterprise Linux 7) - Fix deferred
Package: wireshark (Red Hat Ente
Red Hat
kernel: ocfs2: handle invalid dinode in ocfs2_group_extend
vendor_redhat·2026-04-24
CVE-2026-31596 CWE-1287 kernel: ocfs2: handle invalid dinode in ocfs2_group_extend
kernel: ocfs2: handle invalid dinode in ocfs2_group_extend
A flaw was found in the OCFS2 (Oracle Cluster File System, version 2) component of the Linux kernel. A local attacker with control over a specially crafted filesystem could exploit a vulnerability in the `ocfs2_group_extend` function. This flaw arises from an insufficient validation of a global bitmap inode block, allowing a crafted filesystem to bypass structural validation. Successful exploitation leads to a kernel crash, resulting in a denial of service.
Package: kernel (Red Hat Enterprise Linux 10) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Ente
Red Hat
kernel: netfilter: ctnetlink: use netlink policy range checks
vendor_redhat·2026-04-22·CVSS 5.5
CVE-2026-31495 [MEDIUM] CWE-1287 kernel: netfilter: ctnetlink: use netlink policy range checks
kernel: netfilter: ctnetlink: use netlink policy range checks
A flaw was found in the Linux kernel's netfilter connection tracking (ctnetlink) component. This vulnerability, related to improper input validation, allows an attacker to provide malformed netlink policy attributes. Specifically, invalid values for TCP window scaling (WSCALE) could lead to undefined behavior within the kernel. This could result in a system crash, causing a Denial of Service (DoS) for affected systems.
Package: kernel (Red Hat Enterprise Linux 10) - Fix deferred
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Fix deferred
Package: kernel-rt (Red Hat Enterprise Linux 7) - Fix deferred
Package: kernel (Red Hat Enterprise Linux 8) - Fix deferr
Red Hat
pip: pip: Incorrect file installation due to improper archive handling
vendor_redhat·2026-04-20·CVSS 4.6
CVE-2026-3219 [MEDIUM] CWE-1287 pip: pip: Incorrect file installation due to improper archive handling
pip: pip: Incorrect file installation due to improper archive handling
A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect' files. This could allow an attacker to influence the installation process by providing a specially crafted archive.
Package: lightspeed-core/lightspeed-stack-rhel9 (Lightspeed Core) - Fix deferred
Package: lightspeed-core/rag-tool-rhel9 (Lightspeed Core) - Fix deferred
Package: mta/mta-rhel9-operator (Migration Toolkit for Applications 8) - Fix deferred
Package: migration-toolkit-virtualization/mtv-rhel9-operator (Migration
Red Hat
kernel: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
vendor_redhat·2026-04-13·CVSS 5.5
CVE-2026-31424 [MEDIUM] CWE-1287 kernel: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
kernel: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
A flaw was found in the Linux kernel's netfilter subsystem, specifically within the x_tables and arptables components. This vulnerability arises when xt_match and xt_target extensions, registered for unspecified protocol families, are incorrectly processed by the Address Resolution Protocol (ARP) subsystem. An attacker could exploit this by crafting network packets that trigger a mismatch in hook validation, leading to a null pointer dereference and ultimately a kernel panic, resulting in a Denial of Service (DoS) for the affected system.
Statement: Incorrect extension registration for ARP chains is a correctness bug in the netfilter compatibility path. Exploitation for a panic requires a priv
Red Hat
kernel: ALSA: usb-audio: Use correct version for UAC3 header validation
vendor_redhat·2026-03-25·CVSS 6.6
CVE-2026-23318 [MEDIUM] CWE-1287 kernel: ALSA: usb-audio: Use correct version for UAC3 header validation
kernel: ALSA: usb-audio: Use correct version for UAC3 header validation
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Use correct version for UAC3 header validation
The entry of the validators table for UAC3 AC header descriptor is
defined with the wrong protocol version UAC_VERSION_2, while it should
have been UAC_VERSION_3. This results in the validator never matching
for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
header descriptors to bypass validation entirely. A malicious USB
device presenting a truncated UAC3 header could exploit this to cause
out-of-bounds reads when the driver later accesses unvalidated
descriptor fields.
The bug was introduced in the same commit as the recently fixed UAC3
feature unit sub-type typo, and a
Red Hat
Rails: Active Storage: Rails Active Storage: Content type bypass via arbitrary metadata in direct uploads
vendor_redhat·2026-03-23·CVSS 5.3
CVE-2026-33173 [MEDIUM] CWE-1287 Rails: Active Storage: Rails Active Storage: Content type bypass via arbitrary metadata in direct uploads
Rails: Active Storage: Rails Active Storage: Content type bypass via arbitrary metadata in direct uploads
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
A flaw was found in Rails Active Storage. A rem
Red Hat
cpp-httplib: cpp-httplib: Denial of Service via malformed Content-Length header
vendor_redhat·2026-03-11·CVSS 7.5
CVE-2026-31870 [HIGH] CWE-1287 cpp-httplib: cpp-httplib: Denial of Service via malformed Content-Length header
cpp-httplib: cpp-httplib: Denial of Service via malformed Content-Length header
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positi
Microsoft
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
vendor_msrc·2026-03-10·CVSS 7.0
CVE-2026-25179 [HIGH] CWE-1287 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Description: Improper validation of specified type of input in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.
Windows Ancillary Function Driver for WinSock: Windows Ancillary Function Driver for Win
Red Hat
keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
vendor_redhat·2026-03-05·CVSS 7.7
CVE-2026-2092 [HIGH] CWE-1287 keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can e
Red Hat
axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
vendor_redhat·2026-02-09·CVSS 7.5
CVE-2026-25639 [HIGH] CWE-1287 axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object c
Cisco
Cisco TelePresence Collaboration Endpoint Software and RoomOS Software Denial of Service Vulnerability
vendor_cisco·2026-02-04·CVSS 7.5
CVE-2026-20119 [HIGH] CWE-1287 Cisco TelePresence Collaboration Endpoint Software and RoomOS Software Denial of Service Vulnerability
Cisco TelePresence Collaboration Endpoint Software and RoomOS Software Denial of Service Vulnerability
A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a D
Red Hat
Django: Django: SQL Injection via crafted column aliases
vendor_redhat·2026-02-03·CVSS 5.4
CVE-2026-1287 [MEDIUM] CWE-89 Django: Django: SQL Injection via crafted column aliases
Django: Django: SQL Injection via crafted column aliases
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
A flaw was found in Django. This vulnerability allows a remote attacker to perform SQL injection by using specially crafted control characters within column aliases. When these crafted ali
Ubuntu
Django vulnerabilities
vendor_ubuntu·2026-02-03·CVSS 5.3
CVE-2026-1312 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django exposed timing information when checking
passwords. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-13473)
Jiyong Yang discovered that Django incorrectly handled malformed requests
with duplicate headers. An attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)
Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An
attacker could possibly use this issue to perform SQL injection attacks.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-20
Red Hat
openjdk: Enhance Handling of URIs (Oracle CPU 2026-01)
vendor_redhat·2026-01-20·CVSS 7.4
CVE-2026-21932 [HIGH] CWE-1287 openjdk: Enhance Handling of URIs (Oracle CPU 2026-01)
openjdk: Enhance Handling of URIs (Oracle CPU 2026-01)
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,
Debian
CVE-2026-1287: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
vendor_debian·2026·CVSS 5.4
CVE-2026-1287 [MEDIUM] CVE-2026-1287: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u2)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u12)
forky: resolved (fixed in 3:4.2.28-1)
sid: resolved (fixed in 3:4.2.28-1)
trixie: resolved (fixed in 3:4.2.28-0+deb13u1)
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-14550 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-14550 [HIGH] CVE-2025-14550 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14550 :
Django vulnerability analysis and mitigation
ASGIRequest
Source : NVD
## 7.5
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
authentik
authentik-fips
Sources
NVD
Alpine 3.23 Severity HIGH Has Fix Added at: Feb 10, 2026
Alpine edge Severity HIGH Has Fix Added at: Feb 08, 2026
Chainguard Has Fix Added at: Feb 08, 2026
Debian 11 Severity HIGH No Fix Added at: Feb 04, 2026
Debian 12, 13, 14 Severity HIGH Has Fix Added at: Feb 04, 2026
Echo Severity HIGH Has Fix Added at: Feb 04, 2026
p
Wiz
CVE-2026-1207 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-1207 [MEDIUM] CVE-2026-1207 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1207 :
Django vulnerability analysis and mitigation
RasterField
Source : NVD
## 5.4
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Django
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 88.2
Exploitation Probability (EPSS) 3.8
Affected packages and libraries
py3-django
python3-django-bash-completion
Sources
NVD
Alpine 3.23 Severity MEDIUM Has Fix Added at: Feb 10, 2026
Alpine edge Severity MEDIUM Has Fix Added at: Feb 08, 2026
Chainguard Has Fix Added at: Feb 08, 2026
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Feb 04, 2026
Echo Severity MEDIUM Has Fix Added at: Feb 04, 2026
pip Severity HIGH Has Fix
Wiz
CVE-2025-13473 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-13473 [MEDIUM] CVE-2025-13473 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13473 :
Django vulnerability analysis and mitigation
django.contrib.auth.handlers.modwsgi.check_password()
mod_wsgi
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
authentik
authentik-fips
Sources
NVD
Alpine 3.23 Severity MEDIUM Has Fix Added at: Feb 10, 2026
Alpine edge Severity MEDIUM Has Fix Added at: Feb 08, 2026
Chainguard Has Fix Added at: Feb 08, 2026
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Feb 04, 2026
Echo Severity MEDIUM Has Fix Added at: Feb 0
Wiz
CVE-2026-1285 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-1285 [HIGH] CVE-2026-1285 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1285 :
Django vulnerability analysis and mitigation
django.utils.text.Truncator.chars()
Truncator.words()
html=True
truncatechars_html
truncatewords_html
Source : NVD
## 7.5
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
awx
python3-django-bash-completion
Sources
NVD
Alpine 3.23 Severity HIGH Has Fix Added at: Feb 10, 2026
Alpine edge Severity HIGH Has Fix Added at: Feb 08, 2026
Chainguard Has Fix Added at: Feb 08, 2026
Debian 11, 12, 13, 14 Severity HIGH Has Fix Added at: Feb 04, 2026
Ec
Wiz
CVE-2026-1287 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-1287 [HIGH] CVE-2026-1287 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1287 :
Django vulnerability analysis and mitigation
FilteredRelation
**kwargs
QuerySet
annotate()
aggregate()
extra()
values()
values_list()
alias()
Source : NVD
## 5.4
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
label-studio
django
Sources
NVD
Alpine 3.23 Severity MEDIUM Has Fix Added at: Feb 10, 2026
Alpine edge Severity MEDIUM Has Fix Added at: Feb 08, 2026
Chainguard Has Fix Added at: Feb 08, 2026
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Feb 04, 2026
Echo Seve
Wiz
CVE-2026-25673 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25673 [HIGH] CVE-2026-25673 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25673 :
Django vulnerability analysis and mitigation
URLField.to_python()
urllib.parse.urlsplit()
Source : NVD
## 7.5
Score
Published March 3, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 45.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
authentik-fips
awx
Sources
NVD
Alpine 3.23 Severity HIGH Has Fix Added at: Mar 08, 2026
Chainguard Has Fix Added at: Mar 08, 2026
pip Severity HIGH Has Fix Added at: Mar 05, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wha
Wiz
CVE-2026-25674 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25674 [HIGH] CVE-2026-25674 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25674 :
Django vulnerability analysis and mitigation
umask
Source : NVD
## 3.7
Score
Published March 3, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
py3-django
django
Sources
NVD
Alpine 3.23 Severity LOW Has Fix Added at: Mar 08, 2026
Chainguard Has Fix Added at: Mar 08, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 03, 2026
Debian 14 Severity LOW Has Fix Added at: Mar 03, 2026
Echo Severity LOW No Fix Added at: Mar 03, 2026
pip Severity LOW Has Fix Added at: Mar 05, 2026
MinimOS Severity LOW Has Fix A
Wiz
CVE-2026-1312 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-1312 [HIGH] CVE-2026-1312 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1312 :
Django vulnerability analysis and mitigation
.QuerySet.order_by()
FilteredRelation
Source : NVD
## 5.4
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python3-django
python3-django-doc
Sources
NVD
Alpine 3.23 Severity MEDIUM Has Fix Added at: Feb 10, 2026
Alpine edge Severity MEDIUM Has Fix Added at: Feb 08, 2026
Chainguard Has Fix Added at: Feb 08, 2026
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Feb 04, 2026
Echo Severity MEDIUM Has Fix Added at: Feb 04, 2026
pip Seve
Bugzilla
CVE-2026-1287 python-django3: Django: SQL Injection via crafted column aliases [epel-8]
bugzilla·2026-02-04·CVSS 5.4
CVE-2026-1287 [MEDIUM] CVE-2026-1287 python-django3: Django: SQL Injection via crafted column aliases [epel-8]
CVE-2026-1287 python-django3: Django: SQL Injection via crafted column aliases [epel-8]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Package `python-django3` is retired on the `epel8` dist-git branch (the `dead.package` marker is present); closing as CANTFIX since there's no live package to update.
https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/g/django-announcehttps://www.djangoproject.com/weblog/2026/feb/03/security-releases/https://access.redhat.com/errata/RHSA-2026:14835https://access.redhat.com/errata/RHSA-2026:2694https://access.redhat.com/errata/RHSA-2026:3958https://access.redhat.com/errata/RHSA-2026:3959https://access.redhat.com/errata/RHSA-2026:3960https://access.redhat.com/errata/RHSA-2026:3962https://access.redhat.com/errata/RHSA-2026:5970https://access.redhat.com/errata/RHSA-2026:5971https://access.redhat.com/errata/RHSA-2026:6291https://access.redhat.com/security/cve/CVE-2026-1287https://bugzilla.redhat.com/show_bug.cgi?id=2436339https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1287.json
2026-02-03
Published