VDB
BIT-DJANGO-2026-1312
BIT-DJANGO-2026-1312
PUBLISHED
CVSS 5.400000095367432 MEDIUM
A flaw was found in Django. A remote attacker could exploit a SQL injection vulnerability in the `.QuerySet.order_by()` method. This occurs when column aliases containing periods are used, and the same alias is also present in `FilteredRelation` via a specially crafted dictionary. Successful exploitation could lead to unauthorized information disclosure or arbitrary code execution within the database.
Risk Scores
CVSS 3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat Ansible Automation Platform 2.5 for RHEL 8 | |
| Red Hat | Red Hat Ansible Automation Platform 2.6 for RHEL 10 | |
| Red Hat | Red Hat Ansible Automation Platform 2 | |
| Red Hat | Red Hat Satellite 6 | |
| Red Hat | Red Hat Satellite 6.16 for RHEL 9 | |
| Red Hat | Red Hat Ansible Automation Platform 2.6 | |
| djangoproject | Django | 4.2, 4.2.28, 5.2.11 |
| Red Hat | Red Hat Ansible Automation Platform 2.5 for RHEL 9 | |
| Red Hat | Red Hat Satellite 6.18 | |
| Red Hat | Red Hat OpenStack Platform 16.2 | |
| Red Hat | Red Hat OpenStack Platform 18.0 | |
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 | |
| Red Hat | Red Hat Satellite 6.18 for RHEL 9 | |
| Red Hat | Red Hat Update Infrastructure 4 for Cloud Providers | |
| Red Hat | Red Hat OpenStack Platform 17.1 | |
| Red Hat | Red Hat Ansible Automation Platform 2.5 | |
| Red Hat | Red Hat Ansible Automation Platform 2.6 for RHEL 9 | |
| Red Hat | Red Hat Discovery 2 | |
| Red Hat | Red Hat Satellite 6.16 for RHEL 8 |
Timeline
- Feb 3, 2026 CVE Published
- Feb 3, 2026 PoC Published
- Feb 3, 2026 PoC Published
- Feb 13, 2026 PoC Published
- Jul 2, 2026 Distribution Patch
- Jul 2, 2026 Distribution Patch
- Jul 2, 2026 Distribution Patch
- Jul 2, 2026 Distribution Patch
- Jul 2, 2026 Distribution Patch
- Jul 2, 2026 Distribution Patch
- Jul 2, 2026 Distribution Patch
- Jul 2, 2026 Distribution Patch
References
- Django security archive vendor-advisory
- Django releases announcements mailing-list
- Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2026-1312 vdb
- RHBZ#2436342 issue
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1312.json url
- https://access.redhat.com/errata/RHSA-2026:3959 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:5971 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:3958 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:5970 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:14835 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:3962 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:3960 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:2694 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:6291 vendor-advisory