CVE-2026-1287
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in col
CVSS
5.4
Medio
EPSS
0.8%
p51
KEV
—
Exploit Today
15
0-100
Publicado: 3 feb 2026 · Última mod.: 15 jul 2026 · CWE-89
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
- docs.djangoproject.comhttps://docs.djangoproject.com/en/dev/releases/security/
- groups.google.comhttps://groups.google.com/g/django-announce
- www.djangoproject.comhttps://www.djangoproject.com/weblog/2026/feb/03/security-releases/
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:14835
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2694
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3958
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3959
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3960
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3962
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5970
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5971
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6291
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-1287
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2436339
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1287.json