Released on February 3, 2026, the updates address severe flaws that enable SQL injection attacks, denial-of-service conditions, and user account enumeration.
Django is a widely used open-source Python web framework powering major platforms, including Instagram, Mozilla, and Bitbucket.
The framework emphasizes rapid development and follows the Model-Template-View architectural pattern, making it ideal for building database-driven websites.
Security releases include Django 6.0.2, 5.2.11, and 4.2.28, targeting all currently supported versions.
Three vulnerabilities carry “high” severity ratings, two are rated “moderate,” and one is rated “low.” The Django team strongly encourages immediate upgrades to prevent potential exploitation.
Three high-severity SQL injection flaws were discovered in Django’s database handling mechanisms.
CVE-2026-1207 affects raster lookups on GIS fields implemented on PostGIS, allowing attackers to inject malicious SQL code when untrusted data is used as a band index.
PostGIS raster functionality enables the storage and querying of spatial raster data in PostgreSQL databases.
CVE-2026-1287 enables SQL injection through column aliases via control characters when using FilteredRelation with crafted dictionaries passed to QuerySet methods, including annotate(), aggregate(), and values().
This vulnerability expands the attack surface significantly for applications relying on filtered relation operations.
CVE-2026-1312 allows SQL injection via QuerySet.order_by() when column aliases containing periods are combined with FilteredRelation operations.
Attackers can manipulate query ordering parameters to execute arbitrary SQL commands, potentially compromising sensitive data.
| CVE ID | Vulnerability Type | Severity | Affected Component | Status |
|---|---|---|---|---|
| CVE-2025-13473 | Username Enumeration via Timing Attack | Low | mod_wsgi Authentication Handler | Patched |
| CVE-2025-14550 | Denial-of-Service via Duplicate Headers | Moderate | ASGI Request Handler | Patched |
| CVE-2026-1207 | SQL Injection via Raster Lookups | High | PostGIS GIS Fields | Patched |
| CVE-2026-1285 | Denial-of-Service in HTML Truncation | Moderate | django.utils.text.Truncator | Patched |
| CVE-2026-1287 | SQL Injection in Column Aliases | High | FilteredRelation QuerySet | Patched |
| CVE-2026-1312 | SQL Injection via order_by() | High | QuerySet.order_by() | Patched |
Two moderate-severity denial-of-service vulnerabilities were patched in the latest releases. CVE-2025-14550 affects Django’s ASGI implementation, which handles asynchronous web requests.
Attackers exploit how ASGIRequest processes duplicate HTTP headers, causing super-linear computation through repeated string concatenation that degrades service performance.
CVE-2026-1285 targets HTML truncation functionality in django.utils.text.Truncator, potentially disrupting applications relying on text processing features.
Combined with credential-stuffing attacks, these DoS vectors could facilitate large-scale disruption against Django deployments.
All Django versions, including the main development branch, 6.0, 5.2, and 4.2 series, are affected.
The Django Software Foundation has released patches across all supported branches, with specific GitHub commits available for each vulnerability.
System administrators should immediately upgrade to patched versions and verify that all untrusted user input is sanitized before database operations.
Organizations using Django in production should prioritize patching high-severity SQL injection vulnerabilities, particularly applications utilizing PostGIS functionality or FilteredRelation queries.
Denial-of-service vulnerabilities affecting ASGI deployments require urgent attention for high-traffic applications vulnerable to disruption targeting.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Critical Django Vulnerabilities Enables DoS and SQl injection Attacks appeared first on Cyber Security News.
AMHERST — Performances by local and student bands, an art walk at campus galleries and…
GREENFIELD — Aided by grant funding, the nonprofit law organization providing free services to low-income…
Children’s Advocacy Center luminaria event NORTHAMPTON — The Children’s Advocacy Center (CAC) of Hampshire County…
CHESTERFIELD — For the fourth time in 16 months, Chesterfield has a new Council on…
Today's links Ada Palmer's "Inventing the Renaissance": A tour-de-force, a magnum opus, a work of…
Future The People Do Not Yearn for AutomationNilay Patel | The Verge “Not everything about…
This website uses cookies.