CVE-2026-1287
MEDIUM
GHSA-gvg8-93h5-g6qq
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
Analysis
SQL injection via FilteredRelation column aliases in Django 4.2, 5.2, and 6.0 allows authenticated attackers to execute arbitrary SQL queries through crafted dictionary arguments in QuerySet methods like annotate() and aggregate(). An attacker with database access can exploit control characters in alias names to bypass input validation and potentially extract sensitive data or modify database contents. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running 6.0 and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today