Search for packages
| purl | pkg:rpm/redhat/python3-django@2.2.28-1?arch=el7pc |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-pa75-6avj-duf7
Aliases: BIT-django-2022-28346 CVE-2022-28346 GHSA-2gwj-7jmv-h26r PYSEC-2022-190 |
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. | There are no reported fixed by versions. |
|
VCID-th9v-dk98-3kea
Aliases: BIT-django-2022-28347 CVE-2022-28347 GHSA-w24h-v9qh-8gxj PYSEC-2022-191 |
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T13:58:59.660271+00:00 | RedHat Importer | Affected by | VCID-th9v-dk98-3kea | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-28347.json | 38.0.0 |
| 2026-04-01T13:58:59.532374+00:00 | RedHat Importer | Affected by | VCID-pa75-6avj-duf7 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-28346.json | 38.0.0 |