Home > Vulnerability Database > CVE-2025-59681

Mend.io Vulnerability Database

CVE-2025-59681

Good to know:

Date: September 30, 2025

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Severity Score

7.1

Related Resources (10)

Url: https://www.djangoproject.com/weblog/2025/oct/01/security-releases/

Url: https://github.com/django/django/commit/43d84aef04a9e71164c21a74885996981857e66e

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-59681

Url: https://groups.google.com/g/django-announce

Url: https://github.com/django/django/commit/41b43c74bda19753c757036673ea9db74acf494a

Url: https://docs.djangoproject.com/en/dev/releases/security/

Url: https://docs.djangoproject.com/en/dev/releases/security

Url: https://www.djangoproject.com/weblog/2025/oct/01/security-releases

Url: https://github.com/django/django

Url: https://www.mend.io/vulnerability-database/CVE-2025-59681

Severity Score

7.1

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

Upgrade Version

Upgrade to version django - 4.2.25;django - 5.1.13;django - 5.2.7

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-59681

Good to know:

Date: September 30, 2025

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?