Django, SQL Injection, High Severity

Listen to this Post

The vulnerability exists within Django’s FilteredRelation functionality when used with QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). These methods accept kwargs for specifying column aliases. Attackers can exploit this by passing a crafted dictionary where the keys contain SQL control characters. During dictionary expansion, these keys are directly interpolated into the SQL query string without proper sanitization. FilteredRelation uses these aliases in JOIN conditions or SELECT clauses. The lack of input validation allows malicious SQL fragments to be injected into the generated query. For instance, a key like “alias’; DROP TABLE users; –” could terminate the intended query and execute arbitrary commands. This bypasses Django’s standard parameterized query protection. The issue affects alias names derived from kwargs parameters. The vulnerability is triggered when user-controlled or unsanitized data is passed as keyword arguments to the mentioned QuerySet methods. Versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28 are susceptible. Unsupported series may also be vulnerable. The patched versions implement proper escaping and validation of alias names to neutralize control characters before query construction.
Platform: Django
Version: 6.0,5.2,4.2
Vulnerability: SQL Injection
Severity: High
date: 2026-02-03

Prediction: Patched 2026-02-03

What Undercode Say:

Analytics:

django-admin –version

pip list grep Django

pip install Django==6.0.2

Vulnerable Code Example

from django.db.models import FilteredRelation, Q

queryset = Model.objects.annotate(

custom_alias=FilteredRelation(‘related’, condition=Q(related__field=’value’), {‘injected\’;–‘: ‘value’})

)

Sanitization Bypass

How Exploit:

Craft dictionary with SQL control characters in keys. Pass via kwargs to annotate() or similar methods. Exploit unsanitized alias interpolation in SQL.

Protection from this CVE

Upgrade to patched versions: 6.0.2, 5.2.11, 4.2.28. Avoid passing user input directly into kwargs for column aliases. Implement input validation and escaping.

Impact:

Data confidentiality compromise. Unauthorized database modifications. Potential complete system access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top