Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-64459

Опубликовано: 05 нояб. 2025
Источник: debian
EPSS Низкий

Описание

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
python-djangofixed3:4.2.26-1package

Примечания

  • https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

  • https://github.com/django/django/commit/98e642c69181c942d60a10ca0085d48c6b3068bb (main)

  • https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4 (4.2.26)

EPSS

Процентиль: 1%
0.0001
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2025-64459

CVSS3: 9.1
ubuntu
26 дней назад

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

nvd логотип

CVE-2025-64459

CVSS3: 9.1
nvd
26 дней назад

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

github логотип

GHSA-frmv-pr5f-9mcr

CVSS3: 9.1
github
26 дней назад

Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.

fstec логотип

BDU:2025-13913

CVSS3: 9.1
fstec
26 дней назад

Уязвимость объектов QuerySet и Q программной платформы для разработки веб-приложений Django, позволяющая нарушителю раскрыть и изменить защищаемую информацию

suse-cvrf логотип

SUSE-SU-2025:4100-1

suse-cvrf
17 дней назад

Security update for python-Django

EPSS

Процентиль: 1%
0.0001
Низкий