CVE-2026-1207

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.djangoproject.com/en/dev/releases/security/	Vendor Advisory Patch
https://groups.google.com/g/django-announce	Release Notes
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:djangoproject:django::::::::
	cpe:2.3:a:djangoproject:django::::::::
	cpe:2.3:a:djangoproject:django::::::::

History

No history.

Information

Published : 2026-02-03 15:16

Updated : 2026-02-04 17:34

NVD link : CVE-2026-1207

Mitre link : CVE-2026-1207

CVE.ORG link : CVE-2026-1207

JSON object : View

Products Affected

djangoproject

django

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-1207", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-02-03T15:16:13.433", "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "tags": ["Vendor Advisory", "Patch"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}, {"url": "https://groups.google.com/g/django-announce", "tags": ["Release Notes"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}, {"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/", "tags": ["Patch", "Vendor Advisory"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en 6.0 antes de 6.0.2, 5.2 antes de 5.2.11 y 4.2 antes de 4.2.28.\nLas b\u00fasquedas de r\u00e1ster en 'RasterField' (solo implementado en PostGIS) permiten a atacantes remotos inyectar SQL a trav\u00e9s del par\u00e1metro de \u00edndice de banda.\nSeries de Django anteriores no soportadas (como 5.0.x, 4.1.x y 3.2.x) no fueron evaluadas y tambi\u00e9n pueden estar afectadas.\nDjango desea agradecer a Tarek Nakkouch por reportar este problema."}], "lastModified": "2026-02-04T17:34:46.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59566A1F-D2C5-43D6-97AA-258EFD90B937", "versionEndExcluding": "4.2.28", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "845BC013-1341-4D81-A5F1-507C814ABA7E", "versionEndExcluding": "5.2.11", "versionStartIncluding": "5.2"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4ACBCB7B-B8F4-4EEF-842D-0CCB8674BCD2", "versionEndExcluding": "6.0.2", "versionStartIncluding": "6.0"}], "operator": "OR"}]}], "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}