Critical Django Vulnerabilities Enable DoS & SQL Injection Attacks
The development team behind Django, the widely-used Python web framework, has pushed urgent security updates to mitigate six critical vulnerabilities. These flaws include three high-severity SQL...
The development team behind Django, the widely-used Python web framework, has pushed urgent security updates to mitigate six critical vulnerabilities. These flaws include three high-severity SQL injection vulnerabilities and multiple denial-of-service (DoS) vectors. They affect Django versions 4.2, 5.2, 6.0, and the main development branch.
Three of the disclosed vulnerabilities carry high-severity ratings and could allow attackers to execute arbitrary SQL commands.
CVE-2026-1207 affects PostGIS users through raster lookups on GIS fields, where untrusted data used as a band index could enable SQL injection.
CVE-2026-1287 targets FilteredRelation functionality, allowing SQL injection in column aliases via control characters when crafted dictionaries are passed to QuerySet methods like annotate (), aggregate (), and values ().
Additionally, CVE-2026-1312 exploits QuerySet.order_by() through SQL injection in column aliases containing periods when used with FilteredRelation.
Denial-of-Service Vulnerabilities
Two moderate-severity denial-of-service vulnerabilities were also patched.
| CVE ID | Description | Severity | Affected Versions |
|---|---|---|---|
| CVE-2025-13473 | Username enumeration via timing differences in mod_wsgi authentication handler | Low | 4.2, 5.2, 6.0, main |
| CVE-2025-14550 | Denial-of-service via repeated headers when using ASGI | Moderate | 4.2, 5.2, 6.0, main |
| CVE-2026-1207 | SQL injection via raster lookups on PostGIS | High | 4.2, 5.2, 6.0, main |
| CVE-2026-1285 | Denial-of-service in django.utils.text.Truncator HTML methods |
Moderate | 4.2, 5.2, 6.0, main |
| CVE-2026-1287 | SQL injection in column aliases via control characters | High | 4.2, 5.2, 6.0, main |
| CVE-2026-1312 | SQL injection via QuerySet.order_by() and FilteredRelation |
High | 4.2, 5.2, 6.0, main |
CVE-2025-14550 affects ASGI implementations, allowing attackers to send requests with multiple duplicate headers, leading to repeated string concatenation, superlinear computation, and service degradation.
CVE-2026-1285 targets Django’s Truncator HTML methods, specifically the chars() and words() functions with html=True, as well as the template filters truncatechars_html and truncatewords_html.
Inputs with many unmatched HTML end tags can cause quadratic-time complexity during parsing. A low-severity timing attack vulnerability, CVE-2025-13473, affects the mod_wsgi authentication handler.
The check_password() function allows remote attackers to enumerate valid usernames by measuring response time differences, potentially aiding brute-force attacks.
The Django team has released patches for versions 6.0.2, 5.2.11, and 4.2.28, urging all users to upgrade immediately. Patches are available through GitHub changesets for each affected branch.
Organizations using Django should prioritize updating their installations, particularly those using PostGIS, ASGI servers, or FilteredRelation queries.
| Area | Recommended Action |
|---|---|
| Immediate Upgrade | Update to the latest patched versions immediately |
| Input Validation | Ensure all untrusted user input is properly validated |
| PostGIS Users | Review raster lookup implementations for untrusted band index usage |
| ASGI Deployments | Monitor and protect against duplicate header attacks |
| QuerySet Review | Audit code using FilteredRelation and order_by() with dynamic aliases |
As emphasized in the advisory, all untrusted user input should be validated before use to prevent exploitation. The releases were signed with PGP key ID 131403F4D16D8DC7 by Jacob Walls.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.