CVE-2026-1287 — SQL Injection in Django
CWE-89 — SQL InjectionCWE-1287 — Improper Validation of Specified Type of Input29 documents10 sources
Severity
5.4MEDIUMNVD
GHSA7.5
EPSS
0.0%
top 98.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 3
Latest updateApr 15
Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would li…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5
Affected Packages3 packages
Patches
🔴Vulnerability Details
7GHSA
▶
📋Vendor Advisories
18Red Hat▶
kernel: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP↗2026-04-13
Red Hat▶
jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure↗2026-04-13
Red Hat▶
mbedtls: Mbed TLS and TF-PSA-Crypto: Shared secret manipulation via improper FFDH input validation↗2026-04-01
Red Hat▶
Rails: Active Storage: Rails Active Storage: Content type bypass via arbitrary metadata in direct uploads↗2026-03-23