OESA-2026-1308

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Security Fix(es):

An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi is vulnerable to a timing attack, allowing remote attackers to enumerate valid usernames. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. This issue has been rated with a severity of "low" according to the Django security policy.(CVE-2025-13473)

An issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. ASGIRequest allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.(CVE-2025-14550)

An issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-1207)

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.(CVE-2026-1285)

A SQL injection vulnerability exists in the FilteredRelation component of the Django framework. An attacker can execute arbitrary SQL commands by manipulating column aliases through a specially crafted dictionary containing control characters, passed via dictionary expansion as the **kwargs argument to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This could lead to unauthorized database access, sensitive data disclosure, or data tampering. Affected versions include Django 6.0 series (from 6.0a1 up to, but not including, 6.0.2), 5.2 series (from 5.2a1 up to, but not including, 5.2.11), and 4.2 series (from 4.2a1 up to, but not including, 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.(CVE-2026-1287)

An SQL injection vulnerability exists in the Django framework when the QuerySet.order_by() method processes column aliases containing periods, and the same alias is reused in FilteredRelation via a specially crafted dictionary using dictionary expansion. An attacker could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized information disclosure or arbitrary code execution within the database. This vulnerability affects Django 6.0 (before version 6.0.2), Django 5.2 (before version 5.2.11), and Django 4.2 (before version 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.(CVE-2026-1312)