Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-vwt9-q3dt-vbfg
Vulnerability ID VCID-vwt9-q3dt-vbfg
Aliases CVE-2025-13372
GHSA-rqw2-ghq9-44m7
Summary Django is vulnerable to SQL injection in column aliases An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 4.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13372.json
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2025-13372
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2025-13372
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2025-13372
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2025-13372
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2025-13372
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2025-13372
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2025-13372
epss 9e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-13372
cvssv3.1 4.3 https://docs.djangoproject.com/en/dev/releases/security
generic_textual MODERATE https://docs.djangoproject.com/en/dev/releases/security
cvssv3.1 4.3 https://docs.djangoproject.com/en/dev/releases/security/
ssvc Track https://docs.djangoproject.com/en/dev/releases/security/
cvssv3.1 4.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-rqw2-ghq9-44m7
cvssv3.1 4.3 https://github.com/django/django
generic_textual MODERATE https://github.com/django/django
cvssv3.1 4.3 https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
generic_textual MODERATE https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
cvssv3.1 4.3 https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0
generic_textual MODERATE https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0
cvssv3.1 4.3 https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
generic_textual MODERATE https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
cvssv3.1 4.3 https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
generic_textual MODERATE https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
cvssv3.1 4.3 https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
generic_textual MODERATE https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
cvssv3.1 4.3 https://groups.google.com/g/django-announce
generic_textual MODERATE https://groups.google.com/g/django-announce
ssvc Track https://groups.google.com/g/django-announce
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2025-13372
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-13372
cvssv3.1 4.3 https://www.djangoproject.com/weblog/2025/dec/02/security-releases
generic_textual MODERATE https://www.djangoproject.com/weblog/2025/dec/02/security-releases
cvssv3.1 4.3 https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
ssvc Track https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13372.json
https://api.first.org/data/v1/epss?cve=CVE-2025-13372
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460
https://docs.djangoproject.com/en/dev/releases/security
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/django/django
https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0
https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/dec/02/security-releases
1121788 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121788
2418372 https://bugzilla.redhat.com/show_bug.cgi?id=2418372
CVE-2025-13372 https://nvd.nist.gov/vuln/detail/CVE-2025-13372
GHSA-rqw2-ghq9-44m7 https://github.com/advisories/GHSA-rqw2-ghq9-44m7
security-releases https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
USN-7903-1 https://usn.ubuntu.com/7903-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13372.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://docs.djangoproject.com/en/dev/releases/security
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://docs.djangoproject.com/en/dev/releases/security/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:43:29Z/ Found at https://docs.djangoproject.com/en/dev/releases/security/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://groups.google.com/g/django-announce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:43:29Z/ Found at https://groups.google.com/g/django-announce
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-13372
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://www.djangoproject.com/weblog/2025/dec/02/security-releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:43:29Z/ Found at https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
Exploit Prediction Scoring System (EPSS)
Percentile 0.01182
EPSS Score 0.00011
Published At April 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:53:26.580874+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Django/CVE-2025-13372.yml 38.0.0