Home > Vulnerability Database > CVE-2026-1207

Mend.io Vulnerability Database

CVE-2026-1207

Good to know:

Date: February 3, 2026

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on "RasterField" (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Severity Score

5.4

Related Resources (9)

Url: https://groups.google.com/g/django-announce

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-1207

Url: https://docs.djangoproject.com/en/dev/releases/security/

Url: https://docs.djangoproject.com/en/dev/releases/security

Url: https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8

Url: https://www.djangoproject.com/weblog/2026/feb/03/security-releases

Url: https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

Url: https://github.com/django/django

Url: https://www.mend.io/vulnerability-database/CVE-2026-1207

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

Upgrade Version

Upgrade to version django - 6.0.2;django - 5.2.11;django - 4.2.28;django - 6.0.2;https://github.com/django/django.git - 6.0.2;https://github.com/django/django.git - 5.2.11;https://github.com/django/django.git - 4.2.28

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-1207

Good to know:

Date: February 3, 2026

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?