cbcvebase.
CVE-2026-1287
published 2026-02-03

CVE-2026-1287: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via…

PriorityP338medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.75%
50.4th percentile
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Affected

33 ranges· showing 25
VendorProductVersion rangeFixed in
debianpython-django< python-django 3:3.2.25-0+deb12u2 (bookworm)python-django 3:3.2.25-0+deb12u2 (bookworm)
djangoprojectdjango>= 4.2 < 4.2.284.2.28
djangoprojectdjango>= 4.2a1 < 4.2.284.2.28
djangoprojectdjango>= 5.2 < 5.2.115.2.11
djangoprojectdjango>= 5.2a1 < 5.2.115.2.11
djangoprojectdjango>= 6.0 < 6.0.26.0.2
djangoprojectdjango>= 6.0a1 < 6.0.26.0.2
fastifyfastify>= 5.3.2 < 5.8.55.8.5
github.commattermost_mattermost-server>= 0 < 5.3.2-0.20260129181235-1346cf529aef5.3.2-0.20260129181235-1346cf529aef
github.commattermost_mattermost-server>= 10.11.0-rc1 < 10.11.1110.11.11
github.commattermost_mattermost-server>= 11.2.0-rc1 < 11.2.311.2.3
github.commattermost_mattermost-server>= 11.3.0-rc1 < 11.3.111.3.1
github.commattermost_mattermost_server_v8>= 0 < 8.0.0-20260129181235-1346cf529aef8.0.0-20260129181235-1346cf529aef
msrcmicrosoft_sql_server_2016_for_x64-based_systems_service_pack_3
msrcmicrosoft_sql_server_2016_for_x64-based_systems_service_pack_3_azure_connect_fea
msrcmicrosoft_sql_server_2017_for_x64-based_systems
msrcmicrosoft_sql_server_2019_for_x64-based_systems
msrcmicrosoft_sql_server_2022_for_x64-based_systems
msrcmicrosoft_sql_server_2025_for_x64-based_systems
msrcwindows_10_version_1607
msrcwindows_10_version_1809
msrcwindows_10_version_21h2
msrcwindows_10_version_22h2
msrcwindows_11_version_23h2
msrcwindows_11_version_24h2

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
ghsa7.5HIGH
osv5.4MEDIUM
vendor_msrc8.8HIGH
vendor_redhat8.2HIGH
vendor_cisco7.5HIGH
vendor_debian5.4MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.