PYSEC-2025-106
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2025-106.yaml
- JSON Data
- https://api.test.osv.dev/v1/vulns/PYSEC-2025-106
- Aliases
- Published
- 2025-10-01T19:15:36.487Z
- Modified
- 2026-05-20T09:18:57.509697Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
- References
Affected packages
PyPI / django
Package
- Name
- django
- View open source insights on deps.dev
- Purl
- pkg:pypi/django
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.2Fixed4.2.25Introduced5.1Fixed5.1.13Introduced5.2Fixed5.2.7
Affected versions
4.*
4.2
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10
4.2.11
4.2.12
4.2.13
4.2.14
4.2.15
4.2.16
4.2.17
4.2.18
4.2.19
4.2.20
4.2.21
4.2.22
4.2.23
4.2.24
5.*
5.1
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6