Vulnerability Directory | CVE-2026-1287

Overview

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.

‍

A SQL injection vulnerability (CVE-2026-1287) has been identified in Django, where FilteredRelation could be exploited through column aliases containing control characters when combined with suitably crafted dictionary expansion passed as **kwargs to methods such as QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias(). This improper validation of user-controlled alias input may allow attackers to inject malicious SQL into generated database queries, potentially resulting in unauthorized data access, modification of database contents, or execution of unintended database operations within affected Django applications.

‍

Per OWASP: SQL Injection vulnerabilities occur when an application improperly incorporates untrusted input into database queries, allowing attackers to alter the structure or behavior of SQL statements. By injecting specially crafted input into query parameters, attackers may be able to access unauthorized data, modify database contents, execute administrative operations, or bypass application security controls.

Details

Module Info

Product: Django
Affected packages: django
Affected versions: <=3.2.25, <=4.2.27, <=5.2.10, <=6.0.1
GitHub repository: https://github.com/django/django
Published packages: https://pypi.org/project/Django/
Package manager: pip
Fixed in: Django NES v3.2.27 and v4.2.31

‍

Vulnerability Info

This High-severity vulnerability is found in the db package in all published versions of Django.

‍

Normally, Django’s ORM is designed to safely construct SQL queries by validating and escaping query parameters before incorporating them into database operations. In particular, query-building features such as FilteredRelation, QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() are intended to safely process column aliases and dynamically generated query components without allowing user-controlled input to alter the structure of generated SQL statements.

‍

However, due to improper sanitization of column aliases containing control characters when used with crafted dictionary expansion in FilteredRelation, an attacker can supply specially crafted input that is interpreted as part of the underlying SQL query. This behavior may allow attackers to manipulate database queries through SQL injection, potentially resulting in unauthorized data access, modification of database contents, or execution of unintended database operations within affected Django applications.

‍

This issue arises from insufficient validation of user-controlled alias values during SQL query generation in Django’s ORM, enabling attackers to inject malicious SQL through specially crafted **kwargs parameters passed to query-construction methods used alongside FilteredRelation.