CVE-2026-1312

MEDIUM LAB

Django < 4.2.28 - SQL Injection

Title source: rule

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Exploits (2)

nomisec WORKING POC

by alpinine · poc

https://github.com/alpinine/CVE-2026-1312-Testing

View Code ZIP pw:eip

nomisec WORKING POC

by sw0rd1ight · poc

https://github.com/sw0rd1ight/CVE-2026-1312

View Code ZIP pw:eip

References (3)

[Vendor Advisory, Patch] https://docs.djangoproject.com/en/dev/releases/security/

[Release Notes] https://groups.google.com/g/django-announce

[Patch, Vendor Advisory] https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

Scores

CVSS v3 5.4

EPSS 0.0001

EPSS Percentile 1.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull m.daocloud.io/docker.io/library/postgres:latest

https://github.com/sw0rd1ight/CVE-2026-1312

https://github.com/alpinine/CVE-2026-1312-Testing

View in Library

Details

CWE

CWE-89

Status published

Products (2)

djangoproject/django 4.2 - 4.2.28

pypi/Django 6.0a1 - 6.0.2PyPI

Published Feb 03, 2026

Tracked Since Feb 18, 2026