View all Vulnerabilities

CVE-2026-1207

Command Injection
Affects
Django
in
Django
No items found.
Versions
<=3.2.25, <=4.2.27, <=5.2.10, <=6.0.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.

A SQL injection vulnerability (CVE-2026-1207) has been identified in Django, where raster lookups on GIS fields implemented on PostGIS allow attackers to inject malicious SQL when untrusted input is used as a band index. This improper validation of user-supplied input in raster query construction can enable unauthorized database query manipulation, potentially resulting in unauthorized data access, data modification, or other unintended database operations within affected Django applications.

Per OWASP: SQL Injection vulnerabilities occur when an application improperly incorporates untrusted input into database queries, allowing attackers to alter the structure or behavior of SQL statements. By injecting specially crafted input into query parameters, attackers may be able to access unauthorized data, modify database contents, execute administrative operations, or bypass application security controls.

Details

Module Info

Vulnerability Info

This High-severity vulnerability is found in the contrib package in all published versions of Django.

Normally, Django’s GIS framework is designed to safely construct database queries for spatial operations, ensuring that user-supplied values are properly validated before being incorporated into SQL statements. In particular, raster lookup functionality on PostGIS-backed GIS fields is intended to safely process raster band index values without allowing user input to alter the structure of generated database queries.

However, due to improper validation of untrusted band index input in raster lookups, an attacker can supply specially crafted values that are interpreted as part of the underlying SQL query. This behavior may allow attackers to manipulate database operations through SQL injection, potentially resulting in unauthorized data access, modification of database contents, or execution of unintended queries within affected Django applications.

This issue arises from insufficient sanitization of user-controlled input during SQL query construction in Django’s PostGIS raster lookup implementation, enabling attackers to inject malicious SQL through crafted raster band index parameters.

Mitigation

Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Django.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Tarek Nakkouch (finder)

Pink arrow
Pink arrow
CVE-2026-1287
CVE-2026-1312
CVE-2026-3902
CVE-2026-4277
CVE-2026-4292
CVE-2026-25673
CVE-2026-25674
CVE-2026-33033
CVE-2026-33034
CVE-2026-1285
CVE-2026-1207
CVE-2025-14550
CVE-2025-13473
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-1207
PROJECT Affected
Django
Versions Affected
<=3.2.25, <=4.2.27, <=5.2.10, <=6.0.1
NES Versions Affected
Published date
June 2, 2026
≈ Fix date
April 29, 2026
Fixed in
NES for Django
Category
Command Injection
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Django
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.