CNNVD-202511-412 Information
CNNVD ID
CNNVD-202511-412
Related CVE
- CNNVD Published: 2025-11-05
Description (Chinese)
Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 5.1版本至5.1.14之前版本、4.2版本至4.2.26之前版本和5.2版本至5.2.8之前版本存在安全漏洞,该漏洞源于QuerySet.filter、QuerySet.exclude、QuerySet.get和Q类在使用特制字典作为_connector参数时,可能导致SQL注入攻击。
Description (English)
Django is an open-source Web application framework based on the Python language of the Django Foundation. The framework includes object-oriented maprs, view systems, templates, etc. There is a security loophole in the pre-Django 5.1 to 5.1.14, pre-Release 4.2.2 to 4.2.26 and pre-Release 5.2.8, which originates from QuerySet.filter, QuerySet.exclude, QuerySet.Get and Q, when using a special dictionary as connector parameter, which could lead to an SQL injection attack.
Hazard Level
Medium
Vulnerability Type
SQL注入
Affected Vendor
Django
Published
2025-11-05
Last Modified
2026-02-24
References
https://docs.djangoproject.com/en/dev/releases/security/ https://groups.google.com/g/django-announce https://www.djangoproject.com/weblog/2025/nov/05/security-releases/ https://www.exploit-db.com/exploits/52456 https://cxsecurity.com/issue/WLB-2026020003 https://vigilance.fr/vulnerability/Django-SQL-injection-via-QuerySet-48672
Patch
https://www.djangoproject.com/download/
Share on: