cbcvebase.
CVE-2026-1312
published 2026-02-03

CVE-2026-1312: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases…

PriorityP338medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.80%
52.0th percentile
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 3:3.2.25-0+deb12u2 (bookworm)python-django 3:3.2.25-0+deb12u2 (bookworm)
djangoprojectdjango>= 4.2 < 4.2.284.2.28
djangoprojectdjango>= 4.2a1 < 4.2.284.2.28
djangoprojectdjango>= 5.2 < 5.2.115.2.11
djangoprojectdjango>= 5.2a1 < 5.2.115.2.11
djangoprojectdjango>= 6.0 < 6.0.26.0.2
djangoprojectdjango>= 6.0a1 < 6.0.26.0.2

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.