CVE-2026-1312 — SQL Injection in Django

CWE-89 — SQL Injection9 documents8 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 98.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedFeb 3

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5djangoproject/django6.0 — 6.0.2+2

▶NVDdjangoproject/django4.2 — 4.2.28+2

▶PyPIdjangoproject/django6.0a1 — 6.0.2+2

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

CVE-2026-1312: An issue was discovered in 6↗2026-02-03

▶

OSV

Django has an SQL Injection issue↗2026-02-03

▶

GHSA

Django has an SQL Injection issue↗2026-02-03

▶

CVEList

Potential SQL injection via QuerySet.order_by and FilteredRelation↗2026-02-03

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2026-02-03

▶

Red Hat

Django: Django: SQL injection via crafted column aliases in QuerySet.order_by()↗2026-02-03

▶

Debian

CVE-2026-1312: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1312 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶