Urgent Django Update: Patches 3 Critical SQL Injections & DoS Risks

The maintainers of the popular Python web framework Django have issued an urgent security release to squash a cluster of high-severity vulnerabilities that could allow attackers to manipulate databases or crash servers. The update, which covers Django 6.0.2, Django 5.2.11, and Django 4.2.28, addresses six distinct security flaws, half of which are critical SQL injection vectors.

The most alarming fixes in this rollout concern three separate “High” severity SQL injection vulnerabilities. These flaws could potentially allow malicious actors to execute arbitrary SQL commands, bypassing the framework’s built-in protections.

The first, CVE-2026-1207, targets applications using PostGIS for geographic data. The advisory notes that “Raster lookups on GIS fields (only implemented on PostGIS) were subject to SQL injection if untrusted data was used as a band index”.

The other two high-severity flaws, CVE-2026-1287 and CVE-2026-1312, involve complex query manipulations. In the case of CVE-2026-1287, the FilteredRelation class was vulnerable to injection via column aliases containing control characters. Specifically, “FilteredRelation was subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion”.

Similarly, CVE-2026-1312 exposed a weakness in how QuerySet.order_by() handled column aliases containing periods when combined with FilteredRelation.

Beyond data theft, the update also closes doors to Denial of Service (DoS) attacks that could bring applications to a halt.

One moderate-severity issue, CVE-2025-14550, affects users of the ASGI standard. It exploits the way the framework handles duplicate headers, turning a simple request into a resource hog.

According to the report, “The vulnerability resulted from repeated string concatenation while combining repeated headers, which produced super-linear computation resulting in service degradation or outage”.

Another DoS flaw, CVE-2026-1285, lies in the text truncation utilities. Methods like Truncator.chars() were found to be vulnerable to attacks using massive numbers of unmatched HTML tags, which “could cause quadratic time complexity during HTML parsing”.

Rounding out the patch list is a “Low” severity fix for CVE-2025-13473. This vulnerability involves a timing attack in the mod_wsgi authentication handler that could allow “remote attackers to enumerate users via a timing attack”. While less critical than SQL injection, it represents a privacy leak that secure applications should close.

Related Posts:

• CVE-2025-57833: A New SQL Injection Flaw Puts Django Web Applications at Risk
• Django Security Alert: High-Severity SQL Injection Flaw (CVE-2025-59681) Fixed in Latest Updates
• PoC Released: Django SQL Injection Flaw with Technical Details
• Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8)