CVE-2020-7471

CRITICAL LAB

Django 1.11-1.11.27, 2.2-2.2.9, 3.0-3.0.2 - SQL Injection via StringAgg Delimiter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2020-7471. PoCs published by Saferman, HxDDD, secoba.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2020-7471, demonstrating SQL injection via Django's StringAgg delimiter parameter. The PoC includes a Django project setup and a Python script that fuzzes delimiters and executes a malicious payload to prove the vulnerability.

Description

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

Exploits (8)

nomisec WORKING POC 103 stars
by Saferman · poc
https://github.com/Saferman/CVE-2020-7471

This repository contains a functional proof-of-concept exploit for CVE-2020-7471, demonstrating SQL injection via Django's StringAgg delimiter parameter. The PoC includes a Django project setup and a Python script that fuzzes delimiters and executes a malicious payload to prove the vulnerability.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django (1.11 to 1.11.28, 2.2 to 2.2.10, 3.0 to 3.0.3)
No auth needed
Prerequisites: Django vulnerable version installed · PostgreSQL database configured · Python environment with Django dependencies
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WRITEUP 3 stars
by HxDDD · poc
https://github.com/HxDDD/CVE-PoC/tree/main/Django/(SQL Injection) CVE-2020-7471.md

This repository provides a detailed technical analysis of CVE-2020-7471, a SQL injection vulnerability in Django 3.0.2. It includes environment setup instructions, proof-of-concept code demonstrating the exploit, root cause analysis, and mitigation steps.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django 3.0.2
No auth needed
Prerequisites: Django 3.0.2 · PostgreSQL 13 · psycopg2 2.8.6
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 2 stars
by secoba · poc
https://github.com/secoba/DjVul_StringAgg

This repository contains a Django application demonstrating CVE-2020-7471, a SQL injection vulnerability in Django's StringAgg function. The PoC includes a Django project with PostgreSQL configuration and views to exploit the vulnerability via crafted delimiters.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django (versions affected by CVE-2020-7471)
No auth needed
Prerequisites: Django application with PostgreSQL backend · Access to a vulnerable endpoint using StringAgg
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by SNCKER · poc
https://github.com/SNCKER/CVE-2020-7471

This repository contains a functional proof-of-concept for CVE-2020-7471, demonstrating SQL injection via Django's StringAgg delimiter parameter. The PoC includes a Django project setup and a script that exploits the vulnerability to execute arbitrary SQL commands, such as pg_sleep(5), confirming the injection.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django (1.11 to 1.11.28, 2.2 to 2.2.10, 3.0 to 3.0.3)
No auth needed
Prerequisites: Django vulnerable version installed · PostgreSQL database configured
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by huzaifakhan771 · poc
https://github.com/huzaifakhan771/CVE-2020-7471-Django

This repository contains a functional PoC for CVE-2020-7471, demonstrating SQL injection in Django's `StringAgg` class by exploiting the delimiter parameter. The provided Django views show how arbitrary SQL queries can be injected through user input.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3
No auth needed
Prerequisites: Django application with PostgreSQL backend · Access to a vulnerable Django version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by mrlihd · poc
https://github.com/mrlihd/CVE-2020-7471

This repository contains a functional Django application demonstrating CVE-2020-7471, a SQL injection vulnerability via the StringAgg delimiter parameter. The PoC includes a vulnerable endpoint that allows arbitrary SQL injection through the 'delim' query parameter.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Django with PostgreSQL (Django 3.0.2)
No auth needed
Prerequisites: Django application with PostgreSQL backend · Exposed endpoint using StringAgg with user-controlled delimiter
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by Tempuss · poc
https://github.com/Tempuss/CTF_CVE-2020-7471

The repository contains only static JavaScript and CSS files from Django's admin interface, with no exploit code or technical analysis related to CVE-2020-7471. The files appear to be part of a Django project's static assets rather than a functional PoC.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Django (version unspecified)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by victomteng1997 · poc
https://github.com/victomteng1997/cve-2020-7471-Time_Blind_SQLi-

This repository contains a functional exploit for CVE-2020-7471, demonstrating a time-based blind SQL injection vulnerability in Django's StringAgg function. The PoC includes a Django application setup and a script that exploits the vulnerability to extract credentials from a PostgreSQL database.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django (tested on 3.0.2) with PostgreSQL
No auth needed
Prerequisites: Django application with PostgreSQL backend · Access to a vulnerable endpoint using StringAgg
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (12)

Core 12
Core References
Vendor Advisory x_refsource_confirm
https://docs.djangoproject.com/en/3.0/releases/security/
Mailing List, Third Party Advisory x_refsource_confirm
https://www.openwall.com/lists/oss-security/2020/02/03/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/02/03/1
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4264-1/
Mailing List mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Feb/30
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4629
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200221-0006/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202004-17

Scores

CVSS v3 9.8
EPSS 0.1537
EPSS Percentile 94.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull postgres:11-alpine
docker pull nginx:alpine
+6 more repos

Details

CWE
CWE-89
Status published
Products (2)
djangoproject/django 1.11 - 1.11.28
pypi/Django 0 - 1.11.28PyPI
Published Feb 03, 2020
Tracked Since Feb 18, 2026