Home

CVE-2026-1312

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28..QuerySet.order_by() is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.Django would like to thank Solomon Kebede for reporting this issue.

Risk Information

Base Score
5.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.012

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2025-13473,CVE-2026-1207,CVE-2026-1287,CVE-2026-1312 are fixed in Python-django 4.2.28Windows
Vulnerabilities CVE-2025-13473,CVE-2026-1207,CVE-2026-1287,CVE-2026-1312 are fixed in Python-django 5.2.11Windows
Vulnerabilities CVE-2025-13473,CVE-2026-1207,CVE-2026-1287,CVE-2026-1312 are fixed in Python-django 6.0.2Windows
Multiple vulnerabilities are fixed in Python-django 4.2.28Windows
Multiple vulnerabilities are fixed in Python-django 5.2.11Windows
Multiple vulnerabilities are fixed in Python-django 6.0.2Windows
Vulnerabilities CVE-2025-13473,CVE-2026-1207,CVE-2026-1287,CVE-2026-1312 are fixed in Python-django for linux 4.2.28Linux
Vulnerabilities CVE-2025-13473,CVE-2026-1207,CVE-2026-1287,CVE-2026-1312 are fixed in Python-django for linux 5.2.11Linux
Vulnerabilities CVE-2025-13473,CVE-2026-1207,CVE-2026-1287,CVE-2026-1312 are fixed in Python-django for linux 6.0.2Linux
Multiple vulnerabilities are fixed in Python-django for linux 4.2.28Linux
Multiple vulnerabilities are fixed in Python-django for linux 5.2.11Linux
Multiple vulnerabilities are fixed in Python-django for linux 6.0.2Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234