CVE-2022-28346

CRITICAL LAB

Django 2.2-2.2.27, 3.2-3.2.12, 4.0-4.0.3 - SQL Injection via QuerySet Column Alias Dictionary Expansion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2022-28346. PoCs published by DeEpinGh0st, YouGina, kamal-marouane.

AI-analyzed exploit summary This repository contains a working proof-of-concept for CVE-2022-28346, demonstrating a SQL injection vulnerability in Django's QuerySet.annotate() method. The exploit allows arbitrary SQL execution via crafted input to the 'field' parameter.

Description

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

Exploits (4)

nomisec WORKING POC 25 stars
by DeEpinGh0st · poc
https://github.com/DeEpinGh0st/CVE-2022-28346

This repository contains a working proof-of-concept for CVE-2022-28346, demonstrating a SQL injection vulnerability in Django's QuerySet.annotate() method. The exploit allows arbitrary SQL execution via crafted input to the 'field' parameter.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Django 3.2.13 (and other versions affected by CVE-2022-28346)
No auth needed
Prerequisites: A vulnerable Django application with exposed QuerySet.annotate() usage
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by YouGina · poc
https://github.com/YouGina/CVE-2022-28346

This repository contains a working proof-of-concept for CVE-2022-28346, demonstrating SQL injection in Django's QuerySet.annotate() and aggregate() methods. The exploit is set up via Docker and includes a vulnerable Django application to showcase the vulnerability.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django 3.2.4
No auth needed
Prerequisites: Docker · Django environment · PostgreSQL database
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by kamal-marouane · poc
https://github.com/kamal-marouane/CVE-2022-28346

This repository contains a Django project demonstrating CVE-2022-28346, a SQL injection vulnerability in Django's QuerySet methods. It includes a Docker setup for testing the exploit.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django (versions 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4)
No auth needed
Prerequisites: Docker installed · Python environment with Django
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by vincentinttsh · poc
https://github.com/vincentinttsh/CVE-2022-28346

This repository contains a Django-based PoC for CVE-2022-28346, demonstrating a SQL injection vulnerability in Django's QuerySet.annotate(), aggregate(), and extra() methods. The PoC includes a Django project with a vulnerable endpoint that can be exploited using a crafted SQL injection payload.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Django 4.0 (prior to security patch)
No auth needed
Prerequisites: Django application with vulnerable QuerySet methods exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5254
Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/04/11/1

Scores

CVSS v3 9.8
EPSS 0.0197
EPSS Percentile 84.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
+1 more repos

Details

CWE
CWE-89
Status published
Products (4)
debian/debian_linux 9.0
debian/debian_linux 11.0
djangoproject/django 2.2 - 2.2.28
pypi/Django 2.2 - 2.2.28PyPI
Published Apr 12, 2022
Tracked Since Feb 18, 2026