CVE-2026-1207

MEDIUM EXPLOITED NUCLEI LAB

Django 4.2-4.2.27 5.2-5.2.10 6.0-6.0.1 - SQL Injection via RasterField Band Index Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-1207 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including AikidoSec, sw0rd1ight. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-1207, demonstrating SQL injection via unsanitized band index in GeoDjango RasterField lookups. It includes both vulnerable and protected test cases to showcase the exploit and mitigation using Aikido Zen.

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Exploits (2)

github WORKING POC 6 stars
by AikidoSec · javascriptpoc
https://github.com/AikidoSec/zen-0-days/tree/main/python/CVE-2026-1207

This repository contains a functional proof-of-concept for CVE-2026-1207, demonstrating SQL injection via unsanitized band index in GeoDjango RasterField lookups. It includes both vulnerable and protected test cases to showcase the exploit and mitigation using Aikido Zen.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django with GeoDjango (specific version not specified)
No auth needed
Prerequisites: PostgreSQL with PostGIS and PostGIS Raster extensions enabled · Django application with GeoDjango configured
devstral-2 · analyzed May 28, 2026 Full analysis →
github WORKING POC
by sw0rd1ight · pythonpoc
https://github.com/sw0rd1ight/CVE-2026-1207

This repository contains a functional proof-of-concept for CVE-2026-1207, demonstrating a SQL injection vulnerability in Django GIS's RasterField. The exploit leverages unfiltered user input in the 'band' parameter to inject arbitrary SQL, with a provided delay-based PoC.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Django 5.2.9 with django.contrib.gis RasterField
No auth needed
Prerequisites: Django application with RasterField usage · PostgreSQL with PostGIS extension
devstral-2 · analyzed Apr 26, 2026 Full analysis →

Nuclei Templates (1)

Django RasterField - SQL Injection
HIGHVERIFIEDby omarkurt
Shodan: django
FOFA: app="Django"

References (3)

Core 3
Core References
Vendor Advisory, Patch vendor-advisory
https://docs.djangoproject.com/en/dev/releases/security/
Release Notes mailing-list
https://groups.google.com/g/django-announce

Scores

CVSS v3 5.4
EPSS 0.0657
EPSS Percentile 91.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull m.daocloud.io/docker.io/postgis/postgis:17-3.4
docker pull postgis/postgis:16-3.4

Details

VulnCheck KEV 2026-02-26
CWE
CWE-89
Status published
Products (4)
djangoproject/django 4.2 - 4.2.28
pypi/Django 4.2a1 - 4.2.28PyPI
pypi/Django 5.2a1 - 5.2.11PyPI
pypi/Django 6.0a1 - 6.0.2PyPI
Published Feb 03, 2026
Tracked Since Feb 18, 2026