Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-1312

Good to know:

icon
icon

Date: February 3, 2026

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. ".QuerySet.order_by()" is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in "FilteredRelation". Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Severity Score

Related Resources (10)

https://nvd.nist.gov/vuln/detail/CVE-2026-1312
https://groups.google.com/g/django-announce
https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf222
https://docs.djangoproject.com/en/dev/releases/security/
https://docs.djangoproject.com/en/dev/releases/security
https://github.com/django/django/commit/005d60d97c4dfb117503bdb6f2facfcaf9315d84
https://www.djangoproject.com/weblog/2026/feb/03/security-releases
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
https://github.com/django/django
https://www.mend.io/vulnerability-database/CVE-2026-1312

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

icon

Upgrade Version

Upgrade to version django - 6.0.2;django - 5.2.11;django - 4.2.28;django - 6.0.2;https://github.com/django/django.git - 6.0.2;https://github.com/django/django.git - 5.2.11;https://github.com/django/django.git - 4.2.28

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us