CVE-2026-1312
MediumCVSS 5.4Exploitation Probability (EPSS)
Elevated risk52th percentile - higher than 52% of all known CVEs
Summary
A SQL injection vulnerability was discovered in Django's `.QuerySet.order_by()` method. The issue occurs when a column alias containing a period is used with `FilteredRelation` and dictionary expansion. Affected versions include 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28; older unsupported series may also be vulnerable.
Risk Assessment
An attacker could exploit this vulnerability to execute unauthorized SQL queries, potentially leading to data leakage, modification, or deletion in the organization's database.
Recommendation
Immediately upgrade Django to version 6.0.2, 5.2.11, or 4.2.28 depending on your series. If using an older unsupported version, consider migrating to a supported release.
Original NVD description (English source)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

