PYSEC-2025-108

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2025-108.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-108

Aliases

Published

2025-11-05T15:15:41.080Z

Modified

2026-05-20T09:18:57.735127Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q(), are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2

Fixed

4.2.26

Introduced

5.1

Fixed

5.1.14

Introduced

5.2

Fixed

5.2.8

Affected versions

4.*

4.2

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

4.2.12

4.2.13

4.2.14

4.2.15

4.2.16

4.2.17

4.2.18

4.2.19

4.2.20

4.2.21

4.2.22

4.2.23

4.2.24

4.2.25

5.*

5.1

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.1.12

5.1.13

5.2

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2025-108.yaml"