CVE-2026-1207

Опубликовано: 03 фев. 2026

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Ссылки

https://docs.djangoproject.com/en/dev/releases/security/
Vendor Advisory
Patch
https://groups.google.com/g/django-announce
Release Notes
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 4.2 (включая) до 4.2.28 (исключая)

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 5.2 (включая) до 5.2.11 (исключая)

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 6.0 (включая) до 6.0.2 (исключая)

EPSS

Процентиль: 2%

0.00013

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-89

Связанные уязвимости

CVE-2026-1207

CVSS3: 5.4

ubuntu

4 дня назад

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

CVE-2026-1207

CVSS3: 5.4

debian

4 дня назад

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4. ...

GHSA-mwm9-4648-f68q

github

4 дня назад

Django has an SQL Injection issue

EPSS

Процентиль: 2%

0.00013

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-89