SQL Injection Vulnerability in Django by Django Software Foundation
CVE-2026-1287

5.4MEDIUM

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 February 2026

What is CVE-2026-1287?

A SQL injection vulnerability has been identified in specific versions of Django, where the FilteredRelation component is susceptible to injection through control characters in column aliases. This occurs when a malicious actor utilizes a specially crafted dictionary with dictionary expansion as the **kwargs in QuerySet methods like annotate(), aggregate(), extra(), values(), values_list(), and alias(). Although unsupported versions such as 5.0.x, 4.1.x, and 3.2.x have not been formally evaluated, they may also be at risk. Developers are urged to upgrade their installations to mitigate these potential security threats.

Affected Version(s)

Django 6.0 < 6.0.2

Django 5.2 < 5.2.11

Django 4.2 < 4.2.28

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/feb/03/security...
vendor-advisory

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Solomon Kebede
Jake Howard
Jacob Walls
.