Fluid Attacks Database

Description

Django has an SQL Injection issue An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.

.QuerySet.order_by() is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django would like to thank Solomon Kebede for reporting this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	django	>=6.0a1 <6.0.2 \|\| >=5.2a1 <5.2.11 \|\| >=4.2a1 <4.2.28	6.0.2, 5.2.11, 4.2.28
debian 11	python-django	=2:2.2.24-1 \|\| =2:2.2.25-1~deb11u1 \|\| =2:2.2.26-1~deb11u1 \|\| =2:2.2.28-1~deb11u1 \|\| =2:2.2.28-1~deb11u10 \|\| =2:2.2.28-1~deb11u11 \|\| =2:2.2.28-1~deb11u2 \|\| =2:2.2.28-1~deb11u3 \|\| =2:2.2.28-1~deb11u4 \|\| =2:2.2.28-1~deb11u5 \|\| =2:2.2.28-1~deb11u6 \|\| =2:2.2.28-1~deb11u7 \|\| =2:2.2.28-1~deb11u8 \|\| =2:2.2.28-1~deb11u9 \|\| >=0 <2:2.2.28-1~deb11u12	2:2.2.28-1~deb11u12
debian 14	python-django	=3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| >=0 <3:4.2.28-1	3:4.2.28-1
debian 12	python-django	=3:3.2.19-1 \|\| =3:3.2.19-1+deb12u1 \|\| =3:3.2.19-1+deb12u1~bpo11+1 \|\| =3:3.2.19-1+deb12u2 \|\| =3:3.2.20-1 \|\| =3:3.2.20-1.1 \|\| =3:3.2.21-1 \|\| =3:3.2.25-0+deb12u1 \|\| >=0 <3:3.2.25-0+deb12u2	3:3.2.25-0+deb12u2
debian 13	python-django	=3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-0+deb13u1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| >=0 <3:4.2.28-0+deb13u1	3:4.2.28-0+deb13u1

Aliases

1. CVE-2026-13122. NVD-2026-13123. OSV-2026-13124. OSV-DEBIAN-2026-13125. GCVE-2026-13126. SECURITY-TRACKER-CVE-2026-1312

References

1. https://github.com/django/django/commit/005d60d97c4dfb117503bdb6f2facfcaf9315d842. https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf2223. https://docs.djangoproject.com/en/dev/releases/security4. https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2026-47.yaml5. https://groups.google.com/g/django-announce6. https://www.djangoproject.com/weblog/2026/feb/03/security-releases7. https://github.com/alpinine/CVE-2026-1312-Testing