CVE-2026-1312

MEDIUM LAB

Django 4.2-4.2.27, 5.2-5.2.10, 6.0-6.0.1 - SQL Injection via QuerySet.order_by() with FilteredRelation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-1312. PoCs published by alpinine, sw0rd1ight.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2026-1312, demonstrating the vulnerability in Django by running regression tests before and after the fix. It uses Docker to isolate the test environment and logs results for analysis.

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Exploits (2)

nomisec WORKING POC
by alpinine · poc
https://github.com/alpinine/CVE-2026-1312-Testing

This repository contains a functional PoC for CVE-2026-1312, demonstrating the vulnerability in Django by running regression tests before and after the fix. It uses Docker to isolate the test environment and logs results for analysis.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Django (specific version not explicitly stated)
No auth needed
Prerequisites: Docker Desktop · Python 3.12 · Django repository with specific commits
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by sw0rd1ight · poc
https://github.com/sw0rd1ight/CVE-2026-1312

This repository contains a functional proof-of-concept for CVE-2026-1312, a Django SQL injection vulnerability. The exploit demonstrates how malicious SQL can be injected via the `order_by()` method when using `FilteredRelation` with dynamically constructed queries.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django (versions 6.0.0-6.0.1, 5.2.0-5.2.10, 4.2.0-4.2.27)
No auth needed
Prerequisites: Django application with vulnerable version · Access to a vulnerable endpoint using `order_by()` with user-controlled input
devstral-2 · analyzed Mar 15, 2026 Full analysis →

References (3)

Core 3
Core References
Vendor Advisory, Patch vendor-advisory
https://docs.djangoproject.com/en/dev/releases/security/
Release Notes mailing-list
https://groups.google.com/g/django-announce

Scores

CVSS v3 5.4
EPSS 0.0001
EPSS Percentile 2.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull m.daocloud.io/docker.io/library/postgres:latest

Details

CWE
CWE-89
Status published
Products (4)
djangoproject/django 4.2 - 4.2.28
pypi/Django 4.2a1 - 4.2.28PyPI
pypi/Django 5.2a1 - 5.2.11PyPI
pypi/Django 6.0a1 - 6.0.2PyPI
Published Feb 03, 2026
Tracked Since Feb 18, 2026