Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.orderby SQL injection if orderby is untrusted input from a client of a web application.
{ "cpes": [ "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*" ], "severity": "Critical" }