What is the CVSS score of CVE-2025-57833?

CVE-2025-57833 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Python are affected by CVE-2025-57833?

Organizations using Django 4.2 face moderate risk from CVE-2025-57833, a SQL injection vulnerability rated CVSS 7.1.. A patch is available.

Is there a public PoC exploit available for CVE-2025-57833?

Yes, a public proof-of-concept exploit is available for CVE-2025-57833. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-57833?

Within 7 days: Identify all affected systems running Django 4.2 and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Python CVE-2025-57833

HIGH

SQL Injection (CWE-89)

2025-09-03 cve@mitre.org

Python SQLi Red Hat Django Suse

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 19:10 vuln.today

PoC Detected

Nov 04, 2025 - 22:16 vuln.today

Public exploit code

CVE Published

Sep 03, 2025 - 21:15 nvd

HIGH 7.1

DescriptionNVD

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

AnalysisAI

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). Affected products include: Djangoproject Django. Version information: before 4.2.24.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.