Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.
`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Solomon Kebede for reporting this issue.
Published: 2026-02-03
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection via column aliases
Action: Apply Patch
AI Analysis

Impact

An expressed vulnerability within Django’s QuerySet machinery allows an attacker to inject arbitrary SQL through column aliases when control characters are included in the keyword arguments supplied to methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). The flaw exists because dictionary expansion during alias resolution does not properly escape these control characters, enabling execution of unintended SQL statements. If exploited, an attacker could read, modify, or delete data in the underlying database, potentially compromising confidentiality, integrity, or availability of application data.

Affected Systems

The issue is present in Django releases 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Initial reports also indicate that older, unsupported series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated and may have similar weaknesses. Systems running any affected versions of the Django framework on any platform are at risk.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score is reported as less than 1%, suggesting a low probability of exploitation in the wild at the time of this assessment. Because the vulnerability is triggered by crafted dictionary inputs, an attacker would need access to a code path that accepts unsanitized keyword arguments for the aforementioned QuerySet methods, which could be through a web API, admin interface, or internal function. No known public exploits or KEV entries are listed, so the threat is primarily theoretical at this point, but the ability to inject arbitrary SQL remains a significant risk if the flaw exists in deployed code.

Generated by OpenCVE AI on April 18, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to the latest available release (at least 6.0.2, 5.2.11, or 4.2.28 depending on the major version in use).
  • Verify that the update includes the SQL injection fix by checking the release notes for the security announcement related to this CVE.
  • Review and refactor any code that constructs ORM queries using dynamic keyword arguments for annotate, aggregate, extra, values, values_list, or alias, ensuring all inputs are sanitized or replaced with safe, hard‑coded identifiers.

Generated by OpenCVE AI on April 18, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4484-1 python-django security update
Debian DSA Debian DSA DSA-6150-1 python-django security update
Github GHSA Github GHSA GHSA-gvg8-93h5-g6qq Django has an SQL Injection issue
Ubuntu USN Ubuntu USN USN-8009-1 Django vulnerabilities
History

Wed, 04 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 04 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 03 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
Title Potential SQL injection in column aliases via control characters
Weaknesses CWE-89
References

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-02-03T16:26:43.253Z

Reserved: 2026-01-21T14:04:43.515Z

Link: CVE-2026-1287

cve-icon Vulnrichment

Updated: 2026-02-03T16:26:37.284Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T15:16:13.703

Modified: 2026-02-04T17:35:11.553

Link: CVE-2026-1287

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-03T14:36:03Z

Links: CVE-2026-1287 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses