VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-w4pr-k5nj-ckgy

Essentials
Severities (39)
References (52)
Severity details (31)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-w4pr-k5nj-ckgy
Aliases	CVE-2025-57833 GHSA-6w2r-r2m5-xq5w
Summary	Django is subject to SQL injection through its column aliases An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57833.json
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-57833
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-57833
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-57833
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-57833
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2025-57833
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2025-57833
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2025-57833
epss	0.00022	https://api.first.org/data/v1/epss?cve=CVE-2025-57833
cvssv3.1	7.1	https://docs.djangoproject.com/en/dev/releases/security
generic_textual	HIGH	https://docs.djangoproject.com/en/dev/releases/security
cvssv3.1	7.1	https://docs.djangoproject.com/en/dev/releases/security/
ssvc	Track*	https://docs.djangoproject.com/en/dev/releases/security/
cvssv3.1	8.1	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-6w2r-r2m5-xq5w
cvssv3.1	7.1	https://github.com/django/django
generic_textual	HIGH	https://github.com/django/django
cvssv3.1	7.1	https://github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5
generic_textual	HIGH	https://github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5
cvssv3.1	7.1	https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
generic_textual	HIGH	https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
cvssv3.1	7.1	https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243
generic_textual	HIGH	https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243
cvssv3.1	7.1	https://groups.google.com/g/django-announce
generic_textual	HIGH	https://groups.google.com/g/django-announce
ssvc	Track*	https://groups.google.com/g/django-announce
cvssv3.1	7.1	https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html
cvssv3.1	7.1	https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
generic_textual	HIGH	https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
ssvc	Track*	https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
cvssv3.1	7.1	https://nvd.nist.gov/vuln/detail/CVE-2025-57833
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-57833
cvssv3.1	7.1	https://www.djangoproject.com/weblog/2025/sep/03/security-releases
generic_textual	HIGH	https://www.djangoproject.com/weblog/2025/sep/03/security-releases
cvssv3.1	7.1	https://www.djangoproject.com/weblog/2025/sep/03/security-releases/
ssvc	Track*	https://www.djangoproject.com/weblog/2025/sep/03/security-releases/
cvssv3.1	7.1	http://www.openwall.com/lists/oss-security/2025/09/03/3
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2025/09/03/3

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57833.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-57833
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41164
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43665
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39329
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39330
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39614
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41989
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41991
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45231
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53907
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13372
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26699
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48432
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57833
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59681
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59682
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64459
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64460
		https://docs.djangoproject.com/en/dev/releases/security
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/django/django
		https://github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5
		https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
		https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243
		https://groups.google.com/g/django-announce
		https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html
		https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898
		https://nvd.nist.gov/vuln/detail/CVE-2025-57833
		https://www.djangoproject.com/weblog/2025/sep/03/security-releases
		http://www.openwall.com/lists/oss-security/2025/09/03/3
1113865		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113865
2392990		https://bugzilla.redhat.com/show_bug.cgi?id=2392990
GHSA-6w2r-r2m5-xq5w		https://github.com/advisories/GHSA-6w2r-r2m5-xq5w
RHSA-2025:16403		https://access.redhat.com/errata/RHSA-2025:16403
RHSA-2025:16404		https://access.redhat.com/errata/RHSA-2025:16404
RHSA-2025:16487		https://access.redhat.com/errata/RHSA-2025:16487
RHSA-2025:16514		https://access.redhat.com/errata/RHSA-2025:16514
RHSA-2025:17498		https://access.redhat.com/errata/RHSA-2025:17498
RHSA-2025:17499		https://access.redhat.com/errata/RHSA-2025:17499
RHSA-2025:17500		https://access.redhat.com/errata/RHSA-2025:17500
RHSA-2025:17606		https://access.redhat.com/errata/RHSA-2025:17606
RHSA-2025:17613		https://access.redhat.com/errata/RHSA-2025:17613
RHSA-2025:17614		https://access.redhat.com/errata/RHSA-2025:17614
security-releases		https://www.djangoproject.com/weblog/2025/sep/03/security-releases/
USN-7736-1		https://usn.ubuntu.com/7736-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57833.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://docs.djangoproject.com/en/dev/releases/security

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://docs.djangoproject.com/en/dev/releases/security/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/ Found at https://docs.djangoproject.com/en/dev/releases/security/

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://github.com/django/django

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://github.com/django/django/commit/102965ea93072fe3c39a30be437c683ec1106ef5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://github.com/django/django/commit/4c044fcc866ec226f612c475950b690b0139d243

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://groups.google.com/g/django-announce

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/ Found at https://groups.google.com/g/django-announce

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/ Found at https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-57833

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://www.djangoproject.com/weblog/2025/sep/03/security-releases

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at https://www.djangoproject.com/weblog/2025/sep/03/security-releases/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-08T17:33:03Z/ Found at https://www.djangoproject.com/weblog/2025/sep/03/security-releases/

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Found at http://www.openwall.com/lists/oss-security/2025/09/03/3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.05631
EPSS Score	0.00021
Published At	April 9, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:55:05.138508+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-6w2r-r2m5-xq5w/GHSA-6w2r-r2m5-xq5w.json	38.0.0