Django
CVE-2026-1207
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from Vendor (6a34fbeb-21d4-45e7-8e0a-62b95bc12c92).
CVSS VectorVendor: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on `RasterField` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
AnalysisAI
SQL injection in Django's PostGIS RasterField lookups allows authenticated attackers to execute arbitrary SQL commands through the band index parameter in affected versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Unsupported Django series including 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. A patch is available and authentication is required to exploit this vulnerability.
Technical ContextAI
Classified as CWE-89 (SQL Injection). Affects the band index component of Django. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on `RasterField` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
RemediationAI
A vendor patch is available — apply it immediately. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Rated critical severity (CVSS 9.8), this vulne
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. Rated critical severity (CVSS 9.8
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/j
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. Rated high severity (CVSS
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows rem
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an e
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary datab
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. R
Same weakness CWE-89 – SQL Injection
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mwm9-4648-f68q