VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-9uzd-mmyv-mfh4

Essentials
Severities (37)
References (49)
Severity details (29)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-9uzd-mmyv-mfh4
Aliases	CVE-2025-64459 GHSA-frmv-pr5f-9mcr
Summary	Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
Status	Published
Exploitability	2.0
Weighted Severity	9.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json
epss	0.00191	https://api.first.org/data/v1/epss?cve=CVE-2025-64459
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-64459
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-64459
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-64459
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-64459
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-64459
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-64459
epss	0.00576	https://api.first.org/data/v1/epss?cve=CVE-2025-64459
cvssv3.1	9.1	https://docs.djangoproject.com/en/dev/releases/security
generic_textual	CRITICAL	https://docs.djangoproject.com/en/dev/releases/security
cvssv3.1	9.1	https://docs.djangoproject.com/en/dev/releases/security/
ssvc	Track	https://docs.djangoproject.com/en/dev/releases/security/
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-frmv-pr5f-9mcr
cvssv3.1	9.1	https://github.com/django/django
generic_textual	CRITICAL	https://github.com/django/django
cvssv3.1	9.1	https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85
generic_textual	CRITICAL	https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85
cvssv3.1	9.1	https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4
generic_textual	CRITICAL	https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4
cvssv3.1	9.1	https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b
generic_textual	CRITICAL	https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b
cvssv3.1	9.1	https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241
generic_textual	CRITICAL	https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241
cvssv3.1	9.1	https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed
generic_textual	CRITICAL	https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed
cvssv3.1	9.1	https://groups.google.com/g/django-announce
generic_textual	CRITICAL	https://groups.google.com/g/django-announce
ssvc	Track	https://groups.google.com/g/django-announce
cvssv3.1	9.1	https://nvd.nist.gov/vuln/detail/CVE-2025-64459
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2025-64459
cvssv3.1	9.1	https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html
generic_textual	CRITICAL	https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html
cvssv3.1	9.1	https://www.djangoproject.com/weblog/2025/nov/05/security-releases
generic_textual	CRITICAL	https://www.djangoproject.com/weblog/2025/nov/05/security-releases
cvssv3.1	9.1	https://www.djangoproject.com/weblog/2025/nov/05/security-releases/
ssvc	Track	https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-64459
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460
		https://docs.djangoproject.com/en/dev/releases/security
		https://github.com/django/django
		https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85
		https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4
		https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b
		https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241
		https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed
		https://groups.google.com/g/django-announce
		https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html
		https://www.djangoproject.com/weblog/2025/nov/05/security-releases
1120139		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120139
2412651		https://bugzilla.redhat.com/show_bug.cgi?id=2412651
CVE-2025-64459	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52456.py
CVE-2025-64459		https://nvd.nist.gov/vuln/detail/CVE-2025-64459
GHSA-frmv-pr5f-9mcr		https://github.com/advisories/GHSA-frmv-pr5f-9mcr
RHSA-2025:23069		https://access.redhat.com/errata/RHSA-2025:23069
RHSA-2025:23070		https://access.redhat.com/errata/RHSA-2025:23070
RHSA-2025:23130		https://access.redhat.com/errata/RHSA-2025:23130
RHSA-2025:23131		https://access.redhat.com/errata/RHSA-2025:23131
RHSA-2025:23133		https://access.redhat.com/errata/RHSA-2025:23133
RHSA-2025:23196		https://access.redhat.com/errata/RHSA-2025:23196
RHSA-2026:1596		https://access.redhat.com/errata/RHSA-2026:1596
security-releases		https://www.djangoproject.com/weblog/2025/nov/05/security-releases/
USN-7859-1		https://usn.ubuntu.com/7859-1/

Data source	Exploit-DB
Date added	Dec. 3, 2025
Description	Django 5.1.13 - SQL Injection
Ransomware campaign use	Unknown
Source publication date	Dec. 3, 2025
Exploit type	webapps
Platform	multiple
Source update date	Dec. 3, 2025

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64459.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://docs.djangoproject.com/en/dev/releases/security

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://docs.djangoproject.com/en/dev/releases/security/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/ Found at https://docs.djangoproject.com/en/dev/releases/security/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/django/django

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/django/django/commit/06dd38324ac3d60d83d9f3adabf0dcdf423d2a85

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/django/django/commit/59ae82e67053d281ff4562a24bbba21299f0a7d4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/django/django/commit/6703f364d767e949c5b0e4016433ef75063b4f9b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/omarkurt/django-connector-CVE-2025-64459-testbed

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://groups.google.com/g/django-announce

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/ Found at https://groups.google.com/g/django-announce

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-64459

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.djangoproject.com/weblog/2025/nov/05/security-releases

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-11-06T04:55:36Z/ Found at https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

Exploit Prediction Scoring System (EPSS)

Percentile	0.41087
EPSS Score	0.00191
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:53:08.313805+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-64459.yml	38.0.0