Skip to main content

Django CVE-2026-1207

MEDIUM
SQL Injection (CWE-89)
2026-02-03 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 GHSA-mwm9-4648-f68q
5.4
CVSS 3.1 · Vendor: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Share

Severity by source

Vendor (6a34fbeb-21d4-45e7-8e0a-62b95bc12c92) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (6a34fbeb-21d4-45e7-8e0a-62b95bc12c92).

CVSS VectorVendor: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 04, 2026 - 17:34 nvd
Patch available
CVE Published
Feb 03, 2026 - 15:16 nvd
MEDIUM 5.4

DescriptionCVE.org

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on `RasterField` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

AnalysisAI

SQL injection in Django's PostGIS RasterField lookups allows authenticated attackers to execute arbitrary SQL commands through the band index parameter in affected versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Unsupported Django series including 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. A patch is available and authentication is required to exploit this vulnerability.

Technical ContextAI

Classified as CWE-89 (SQL Injection). Affects the band index component of Django. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on `RasterField` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

RemediationAI

A vendor patch is available — apply it immediately. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

More in Django

View all
CVE-2017-12794 MEDIUM POC
6.1 Sep 07

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for

CVE-2022-34265 CRITICAL POC
9.8 Jul 04

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Rated critical severity (CVSS 9.8), this vulne

CVE-2021-35042 CRITICAL POC
9.8 Jul 02

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input

CVE-2019-19844 CRITICAL POC
9.8 Dec 18

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. Rated critical severity (CVSS 9.8

CVE-2020-9402 HIGH POC
8.8 Mar 05

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a

CVE-2016-6186 MEDIUM POC
6.1 Aug 05

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/j

CVE-2025-57833 HIGH POC
7.1 Sep 03

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. Rated high severity (CVSS

CVE-2015-5143 HIGH
7.8 Jul 14

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows rem

CVE-2015-0221 MEDIUM POC
5.0 Jan 16

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an e

CVE-2014-0474 CRITICAL
10.0 Apr 23

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.

CVE-2016-9013 CRITICAL
9.8 Dec 09

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary datab

CVE-2018-14574 MEDIUM POC
6.1 Aug 03

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. R

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Package Hub 15 SP6 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-1207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy