Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Django Users Exposed to Unauthorized Access and Data Overload
OESA-2026-1507
Summary
Django users need to update their software to patch two security flaws that could allow hackers to access user accounts and overload a website with data, potentially causing it to crash. The vulnerabilities affect Django versions 6.0, 5.2, and 4.2. To protect your users and data, update to the latest version (6.0.2, 5.2.11, or 4.2.28) as soon as possible.
What to do
- Update python-django to version 2.2.27-21.oe2003sp4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | python-django | <= 2.2.27-21.oe2003sp4 | 2.2.27-21.oe2003sp4 |
Original title
python-django security update
Original description
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Security Fix(es):
An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` is vulnerable to a timing attack, allowing remote attackers to enumerate valid usernames. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. This issue has been rated with a severity of "low" according to the Django security policy.(CVE-2025-13473)
An issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-1207)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.(CVE-2026-1285)
A SQL injection vulnerability exists in the FilteredRelation component of the Django framework. An attacker can execute arbitrary SQL commands by manipulating column aliases through a specially crafted dictionary containing control characters, passed via dictionary expansion as the **kwargs argument to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This could lead to unauthorized database access, sensitive data disclosure, or data tampering. Affected versions include Django 6.0 series (from 6.0a1 up to, but not including, 6.0.2), 5.2 series (from 5.2a1 up to, but not including, 5.2.11), and 4.2 series (from 4.2a1 up to, but not including, 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.(CVE-2026-1287)
An SQL injection vulnerability exists in the Django framework when the QuerySet.order_by() method processes column aliases containing periods, and the same alias is reused in FilteredRelation via a specially crafted dictionary using dictionary expansion. An attacker could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized information disclosure or arbitrary code execution within the database. This vulnerability affects Django 6.0 (before version 6.0.2), Django 5.2 (before version 5.2.11), and Django 4.2 (before version 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.(CVE-2026-1312)
Security Fix(es):
An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` is vulnerable to a timing attack, allowing remote attackers to enumerate valid usernames. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. This issue has been rated with a severity of "low" according to the Django security policy.(CVE-2025-13473)
An issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-1207)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.(CVE-2026-1285)
A SQL injection vulnerability exists in the FilteredRelation component of the Django framework. An attacker can execute arbitrary SQL commands by manipulating column aliases through a specially crafted dictionary containing control characters, passed via dictionary expansion as the **kwargs argument to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This could lead to unauthorized database access, sensitive data disclosure, or data tampering. Affected versions include Django 6.0 series (from 6.0a1 up to, but not including, 6.0.2), 5.2 series (from 5.2a1 up to, but not including, 5.2.11), and 4.2 series (from 4.2a1 up to, but not including, 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.(CVE-2026-1287)
An SQL injection vulnerability exists in the Django framework when the QuerySet.order_by() method processes column aliases containing periods, and the same alias is reused in FilteredRelation via a specially crafted dictionary using dictionary expansion. An attacker could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized information disclosure or arbitrary code execution within the database. This vulnerability affects Django 6.0 (before version 6.0.2), Django 5.2 (before version 5.2.11), and Django 4.2 (before version 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.(CVE-2026-1312)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-13473 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-1207 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-1285 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-1287 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-1312 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026