CVE-2026-1207

MEDIUM EXPLOITED NUCLEI

Django < 4.2.28 - SQL Injection

Title source: rule

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Nuclei Templates (1)

Django RasterField - SQL Injection

HIGHVERIFIEDby omarkurt

Shodan: django

FOFA: app="Django"

References (3)

[Vendor Advisory, Patch] https://docs.djangoproject.com/en/dev/releases/security/

[Release Notes] https://groups.google.com/g/django-announce

[Patch, Vendor Advisory] https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

Scores

CVSS v3 5.4

EPSS 0.0442

EPSS Percentile 89.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

VulnCheck KEV 2026-02-26

CWE

CWE-89

Status published

Products (2)

djangoproject/django 4.2 - 4.2.28

pypi/Django 6.0a1 - 6.0.2PyPI

Published Feb 03, 2026

Tracked Since Feb 18, 2026