Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:rpm/redhat/python-django@4.2.28-0.1?arch=el8pc
Typerpm
Namespaceredhat
Namepython-django
Version4.2.28-0.1
Qualifiers
arch el8pc
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-28g3-ubx6-ebff
vulnerability_id VCID-28g3-ubx6-ebff
summary 
Django has Inefficient Algorithmic Complexity
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Seokchan Yoon for reporting this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1285.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1285.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1285
reference_id
reference_type
scores
0
value 0.00064
scoring_system epss
scoring_elements 0.20187
published_at 2026-04-02T12:55:00Z
1
value 0.00064
scoring_system epss
scoring_elements 0.20125
published_at 2026-04-11T12:55:00Z
2
value 0.00064
scoring_system epss
scoring_elements 0.20106
published_at 2026-04-09T12:55:00Z
3
value 0.00064
scoring_system epss
scoring_elements 0.20047
published_at 2026-04-08T12:55:00Z
4
value 0.00064
scoring_system epss
scoring_elements 0.19968
published_at 2026-04-07T12:55:00Z
5
value 0.00064
scoring_system epss
scoring_elements 0.20242
published_at 2026-04-04T12:55:00Z
6
value 0.00067
scoring_system epss
scoring_elements 0.20761
published_at 2026-04-16T12:55:00Z
7
value 0.00067
scoring_system epss
scoring_elements 0.20771
published_at 2026-04-13T12:55:00Z
8
value 0.00067
scoring_system epss
scoring_elements 0.20824
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1285
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1285
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1285
3
reference_url https://docs.djangoproject.com/en/dev/releases/security
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://docs.djangoproject.com/en/dev/releases/security
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/django/django
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/django/django
6
reference_url https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344
7
reference_url https://groups.google.com/g/django-announce
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:22:30Z/
url https://groups.google.com/g/django-announce
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1285
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1285
9
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id 1126914
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2436340
reference_id 2436340
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2436340
12
reference_url https://github.com/advisories/GHSA-4rrr-2h4v-f3j9
reference_id GHSA-4rrr-2h4v-f3j9
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4rrr-2h4v-f3j9
13
reference_url https://access.redhat.com/errata/RHSA-2026:2694
reference_id RHSA-2026:2694
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2694
14
reference_url https://access.redhat.com/errata/RHSA-2026:3958
reference_id RHSA-2026:3958
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3958
15
reference_url https://access.redhat.com/errata/RHSA-2026:3959
reference_id RHSA-2026:3959
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3959
16
reference_url https://access.redhat.com/errata/RHSA-2026:6291
reference_id RHSA-2026:6291
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6291
17
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
reference_id security-releases
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:22:30Z/
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
18
reference_url https://usn.ubuntu.com/8009-1/
reference_id USN-8009-1
reference_type
scores
url https://usn.ubuntu.com/8009-1/
fixed_packages
aliases CVE-2026-1285, GHSA-4rrr-2h4v-f3j9
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-28g3-ubx6-ebff
1
url VCID-8qu1-45n9-gyb1
vulnerability_id VCID-8qu1-45n9-gyb1
summary 
Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Solomon Kebede for reporting this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1287.json
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1287.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1287
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01069
published_at 2026-04-02T12:55:00Z
1
value 0.0001
scoring_system epss
scoring_elements 0.01083
published_at 2026-04-09T12:55:00Z
2
value 0.0001
scoring_system epss
scoring_elements 0.01084
published_at 2026-04-08T12:55:00Z
3
value 0.0001
scoring_system epss
scoring_elements 0.01079
published_at 2026-04-07T12:55:00Z
4
value 0.0001
scoring_system epss
scoring_elements 0.01072
published_at 2026-04-04T12:55:00Z
5
value 0.0001
scoring_system epss
scoring_elements 0.01067
published_at 2026-04-11T12:55:00Z
6
value 0.00011
scoring_system epss
scoring_elements 0.01444
published_at 2026-04-13T12:55:00Z
7
value 0.00011
scoring_system epss
scoring_elements 0.01443
published_at 2026-04-12T12:55:00Z
8
value 0.00011
scoring_system epss
scoring_elements 0.01433
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1287
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1287
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1287
3
reference_url https://docs.djangoproject.com/en/dev/releases/security
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://docs.djangoproject.com/en/dev/releases/security
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/django/django
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/django/django
6
reference_url https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22
7
reference_url https://groups.google.com/g/django-announce
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:26:40Z/
url https://groups.google.com/g/django-announce
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1287
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1287
9
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id 1126914
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2436339
reference_id 2436339
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2436339
12
reference_url https://github.com/advisories/GHSA-gvg8-93h5-g6qq
reference_id GHSA-gvg8-93h5-g6qq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gvg8-93h5-g6qq
13
reference_url https://access.redhat.com/errata/RHSA-2026:2694
reference_id RHSA-2026:2694
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2694
14
reference_url https://access.redhat.com/errata/RHSA-2026:3958
reference_id RHSA-2026:3958
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3958
15
reference_url https://access.redhat.com/errata/RHSA-2026:3959
reference_id RHSA-2026:3959
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3959
16
reference_url https://access.redhat.com/errata/RHSA-2026:3960
reference_id RHSA-2026:3960
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3960
17
reference_url https://access.redhat.com/errata/RHSA-2026:3962
reference_id RHSA-2026:3962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3962
18
reference_url https://access.redhat.com/errata/RHSA-2026:6291
reference_id RHSA-2026:6291
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6291
19
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
reference_id security-releases
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:26:40Z/
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
20
reference_url https://usn.ubuntu.com/8009-1/
reference_id USN-8009-1
reference_type
scores
url https://usn.ubuntu.com/8009-1/
fixed_packages
aliases CVE-2026-1287, GHSA-gvg8-93h5-g6qq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8qu1-45n9-gyb1
2
url VCID-e9k9-1s9f-dbgv
vulnerability_id VCID-e9k9-1s9f-dbgv
summary 
Django has Inefficient Algorithmic Complexity
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Jiyong Yang for reporting this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14550.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14550.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-14550
reference_id
reference_type
scores
0
value 0.00059
scoring_system epss
scoring_elements 0.18717
published_at 2026-04-02T12:55:00Z
1
value 0.00059
scoring_system epss
scoring_elements 0.18625
published_at 2026-04-11T12:55:00Z
2
value 0.00059
scoring_system epss
scoring_elements 0.18621
published_at 2026-04-09T12:55:00Z
3
value 0.00059
scoring_system epss
scoring_elements 0.18568
published_at 2026-04-08T12:55:00Z
4
value 0.00059
scoring_system epss
scoring_elements 0.18487
published_at 2026-04-07T12:55:00Z
5
value 0.00059
scoring_system epss
scoring_elements 0.18771
published_at 2026-04-04T12:55:00Z
6
value 0.00062
scoring_system epss
scoring_elements 0.19221
published_at 2026-04-16T12:55:00Z
7
value 0.00062
scoring_system epss
scoring_elements 0.19259
published_at 2026-04-13T12:55:00Z
8
value 0.00062
scoring_system epss
scoring_elements 0.19314
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-14550
2
reference_url https://docs.djangoproject.com/en/dev/releases/security
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://docs.djangoproject.com/en/dev/releases/security
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/django/django
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/django/django
5
reference_url https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb
6
reference_url https://groups.google.com/g/django-announce
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:27:25Z/
url https://groups.google.com/g/django-announce
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-14550
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-14550
8
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id 1126914
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2436341
reference_id 2436341
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2436341
11
reference_url https://github.com/advisories/GHSA-33mw-q7rj-mjwj
reference_id GHSA-33mw-q7rj-mjwj
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-33mw-q7rj-mjwj
12
reference_url https://access.redhat.com/errata/RHSA-2026:2694
reference_id RHSA-2026:2694
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2694
13
reference_url https://access.redhat.com/errata/RHSA-2026:3958
reference_id RHSA-2026:3958
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3958
14
reference_url https://access.redhat.com/errata/RHSA-2026:3959
reference_id RHSA-2026:3959
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3959
15
reference_url https://access.redhat.com/errata/RHSA-2026:6291
reference_id RHSA-2026:6291
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6291
16
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
reference_id security-releases
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:27:25Z/
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
17
reference_url https://usn.ubuntu.com/8009-1/
reference_id USN-8009-1
reference_type
scores
url https://usn.ubuntu.com/8009-1/
fixed_packages
aliases CVE-2025-14550, GHSA-33mw-q7rj-mjwj
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e9k9-1s9f-dbgv
3
url VCID-msge-1mfu-7qfa
vulnerability_id VCID-msge-1mfu-7qfa
summary 
Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Solomon Kebede for reporting this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1312.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1312.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1312
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01069
published_at 2026-04-02T12:55:00Z
1
value 0.0001
scoring_system epss
scoring_elements 0.01083
published_at 2026-04-09T12:55:00Z
2
value 0.0001
scoring_system epss
scoring_elements 0.01084
published_at 2026-04-08T12:55:00Z
3
value 0.0001
scoring_system epss
scoring_elements 0.01079
published_at 2026-04-07T12:55:00Z
4
value 0.0001
scoring_system epss
scoring_elements 0.01072
published_at 2026-04-04T12:55:00Z
5
value 0.0001
scoring_system epss
scoring_elements 0.01067
published_at 2026-04-11T12:55:00Z
6
value 0.00011
scoring_system epss
scoring_elements 0.01444
published_at 2026-04-13T12:55:00Z
7
value 0.00011
scoring_system epss
scoring_elements 0.01443
published_at 2026-04-12T12:55:00Z
8
value 0.00011
scoring_system epss
scoring_elements 0.01433
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1312
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1312
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1312
3
reference_url https://docs.djangoproject.com/en/dev/releases/security
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://docs.djangoproject.com/en/dev/releases/security
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/django/django
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/django/django
6
reference_url https://github.com/django/django/commit/005d60d97c4dfb117503bdb6f2facfcaf9315d84
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/django/django/commit/005d60d97c4dfb117503bdb6f2facfcaf9315d84
7
reference_url https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf222
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf222
8
reference_url https://groups.google.com/g/django-announce
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:56:09Z/
url https://groups.google.com/g/django-announce
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1312
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1312
10
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id 1126914
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2436342
reference_id 2436342
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2436342
13
reference_url https://github.com/advisories/GHSA-6426-9fv3-65x8
reference_id GHSA-6426-9fv3-65x8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6426-9fv3-65x8
14
reference_url https://access.redhat.com/errata/RHSA-2026:2694
reference_id RHSA-2026:2694
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2694
15
reference_url https://access.redhat.com/errata/RHSA-2026:3958
reference_id RHSA-2026:3958
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3958
16
reference_url https://access.redhat.com/errata/RHSA-2026:3959
reference_id RHSA-2026:3959
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3959
17
reference_url https://access.redhat.com/errata/RHSA-2026:3960
reference_id RHSA-2026:3960
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3960
18
reference_url https://access.redhat.com/errata/RHSA-2026:3962
reference_id RHSA-2026:3962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3962
19
reference_url https://access.redhat.com/errata/RHSA-2026:6291
reference_id RHSA-2026:6291
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6291
20
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
reference_id security-releases
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:56:09Z/
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
21
reference_url https://usn.ubuntu.com/8009-1/
reference_id USN-8009-1
reference_type
scores
url https://usn.ubuntu.com/8009-1/
fixed_packages
aliases CVE-2026-1312, GHSA-6426-9fv3-65x8
risk_score 3.9
exploitability 0.5
weighted_severity 7.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-msge-1mfu-7qfa
4
url VCID-ysyp-h7ja-yff3
vulnerability_id VCID-ysyp-h7ja-yff3
summary 
Django has an SQL Injection issue
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Tarek Nakkouch for reporting this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1207.json
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1207.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-1207
reference_id
reference_type
scores
0
value 0.03841
scoring_system epss
scoring_elements 0.88188
published_at 2026-04-11T12:55:00Z
1
value 0.03841
scoring_system epss
scoring_elements 0.88178
published_at 2026-04-09T12:55:00Z
2
value 0.03841
scoring_system epss
scoring_elements 0.88172
published_at 2026-04-08T12:55:00Z
3
value 0.03841
scoring_system epss
scoring_elements 0.88153
published_at 2026-04-07T12:55:00Z
4
value 0.03841
scoring_system epss
scoring_elements 0.88146
published_at 2026-04-04T12:55:00Z
5
value 0.04424
scoring_system epss
scoring_elements 0.89035
published_at 2026-04-13T12:55:00Z
6
value 0.04424
scoring_system epss
scoring_elements 0.89037
published_at 2026-04-12T12:55:00Z
7
value 0.04424
scoring_system epss
scoring_elements 0.89048
published_at 2026-04-16T12:55:00Z
8
value 0.05126
scoring_system epss
scoring_elements 0.8982
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-1207
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1207
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1207
3
reference_url https://docs.djangoproject.com/en/dev/releases/security
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://docs.djangoproject.com/en/dev/releases/security
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/django/django
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/django/django
6
reference_url https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8
7
reference_url https://groups.google.com/g/django-announce
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:21:06Z/
url https://groups.google.com/g/django-announce
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-1207
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-1207
9
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
reference_id 1126914
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126914
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2436338
reference_id 2436338
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2436338
12
reference_url https://github.com/advisories/GHSA-mwm9-4648-f68q
reference_id GHSA-mwm9-4648-f68q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mwm9-4648-f68q
13
reference_url https://access.redhat.com/errata/RHSA-2026:2694
reference_id RHSA-2026:2694
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2694
14
reference_url https://access.redhat.com/errata/RHSA-2026:3958
reference_id RHSA-2026:3958
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3958
15
reference_url https://access.redhat.com/errata/RHSA-2026:3959
reference_id RHSA-2026:3959
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3959
16
reference_url https://access.redhat.com/errata/RHSA-2026:3960
reference_id RHSA-2026:3960
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3960
17
reference_url https://access.redhat.com/errata/RHSA-2026:3962
reference_id RHSA-2026:3962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3962
18
reference_url https://access.redhat.com/errata/RHSA-2026:6291
reference_id RHSA-2026:6291
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6291
19
reference_url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
reference_id security-releases
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T16:21:06Z/
url https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
20
reference_url https://usn.ubuntu.com/8009-1/
reference_id USN-8009-1
reference_type
scores
url https://usn.ubuntu.com/8009-1/
fixed_packages
aliases CVE-2026-1207, GHSA-mwm9-4648-f68q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ysyp-h7ja-yff3
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:rpm/redhat/python-django@4.2.28-0.1%3Farch=el8pc