CVE-2026-1312

Опубликовано: 03 фев. 2026

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. .QuerySet.order_by() is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Ссылки

https://docs.djangoproject.com/en/dev/releases/security/
Vendor Advisory
Patch
https://groups.google.com/g/django-announce
Release Notes
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 4.2 (включая) до 4.2.28 (исключая)

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 5.2 (включая) до 5.2.11 (исключая)

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 6.0 (включая) до 6.0.2 (исключая)

EPSS

Процентиль: 0%

0.00007

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-89

Связанные уязвимости

CVE-2026-1312

CVSS3: 5.4

ubuntu

4 дня назад

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

CVE-2026-1312

CVSS3: 5.4

debian

4 дня назад

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4. ...

GHSA-6426-9fv3-65x8

github

4 дня назад

Django has an SQL Injection issue

EPSS

Процентиль: 0%

0.00007

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-89