Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-1287

Good to know:

icon
icon
icon

Date: February 3, 2026

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. "FilteredRelation" is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the "**kwargs" passed to "QuerySet" methods "annotate()", "aggregate()", "extra()", "values()", "values_list()", and "alias()". Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Severity Score

Related Resources (9)

https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22
https://groups.google.com/g/django-announce
https://docs.djangoproject.com/en/dev/releases/security/
https://docs.djangoproject.com/en/dev/releases/security
https://www.djangoproject.com/weblog/2026/feb/03/security-releases
https://nvd.nist.gov/vuln/detail/CVE-2026-1287
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
https://github.com/django/django
https://www.mend.io/vulnerability-database/CVE-2026-1287

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

icon

Upgrade Version

Upgrade to version django - 6.0.2;django - 5.2.11;django - 4.2.28;https://github.com/django/django.git - 6.0.2;https://github.com/django/django.git - 5.2.11;https://github.com/django/django.git - 4.2.28

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us