EXECUTIVE SUMMARY:
A series of security flaws were identified in multiple versions of Django core libraries that could be exploited by attackers to undermine application integrity and availability. These issues include SQL injection vulnerabilities in query-building and GIS related functionalities that allow crafted inputs to manipulate backend database commands, potentially leading to unauthorized data access or modification; algorithmic complexity and denial of service conditions triggered by inefficient text truncation or crafted header inputs resulting in service disruption; and a timing discrepancy in authentication routines enabling remote user enumeration through observable response timing differences. Collectively, these vulnerabilities span, emphasizing the importance of patching affected dependencies to mitigate risks ranging from elevated data exposure to resource exhaustion in production environments.
- CVE-2026-1312: It is a SQL injection vulnerability in Djangos QuerySet.order_by() when used with FilteredRelation and crafted column aliases. An attacker can manipulate queries to access or modify unauthorized data. The vulnerability has a CVSS score of 8.1.
- CVE-2026-1287: It is a SQL injection in Djangos FilteredRelation where crafted column aliases can manipulate SQL queries. This flaw can be leveraged to bypass query restrictions and gain unintended visibility into database contents. Updating Django to the fixed versions prevents exploitation. The vulnerability has a CVSS score of 8.1.
- CVE-2026-1285: It is a denial‑of‑service vulnerability in Djangos text and HTML truncation utilities due to inefficient algorithmic complexity. Processing specially crafted input with numerous unmatched HTML tags can cause excessive CPU consumption. The vulnerability has a CVSS score of 2.7.
- CVE‑2026‑1207: It is a SQL injection vulnerability in Djangos RasterField lookup on PostGIS where untrusted band index input can alter SQL queries. This can allow crafted requests to interfere with database logic in GIS‑enabled Django deployments. The vulnerability has a CVSS score of 8.1.
- CVE-2025-13473: It is a username enumeration vulnerability in Djangos mod_wsgi authentication handler where timing differences in the check_password() function can leak information about valid accounts. This observable timing discrepancy lets a remote actor distinguish between existing and non‑existing users based on response timing. The vulnerability has a CVSS score of 2.7.
- CVE‑2025‑14550: It is a denial‑of‑service vulnerability in Djangos request handling due to inefficient processing of multiple duplicate headers. This flaw allows remote requests with repeated headers to overload server resources, potentially leading to service outages. The vulnerability has a CVSS score of 2.7.
RECOMMENDATION:
- We strongly recommend you update Django to version 6.0.2, 5.2.11 and 4.2.28 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-6426-9fv3-65x8
https://github.com/advisories/GHSA-gvg8-93h5-g6qq
https://github.com/advisories/GHSA-4rrr-2h4v-f3j9
https://github.com/advisories/GHSA-mwm9-4648-f68q
https://github.com/advisories/GHSA-2mcm-79hx-8fxw
https://github.com/advisories/GHSA-33mw-q7rj-mjwj
