SQL Injection Vulnerability in Django Web Framework
CVE-2026-1312

5.4MEDIUM

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 February 2026

What is CVE-2026-1312?

An SQL injection vulnerability was identified in the Django web framework that particularly affects versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The issue arises from improper handling of column aliases containing periods when used with dictionary expansion in FilteredRelation with the .QuerySet.order_by() method. As such, attackers can craft specific inputs to manipulate SQL queries, potentially leading to unauthorized data access. Older, unsupported versions, including the 5.0.x, 4.1.x, and 3.2.x series might also be susceptible. Django acknowledges the contribution of Solomon Kebede for reporting this issue, emphasizing the need for users to upgrade to the latest secured releases.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Django 6.0 < 6.0.2

Django 5.2 < 5.2.11

Django 4.2 < 4.2.28

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/feb/03/security...
vendor-advisory

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Solomon Kebede
Jacob Walls
Jacob Walls
JSON
.