VDB

BIT-DJANGO-2026-1312

BIT-DJANGO-2026-1312 PUBLISHED CVSS 5.400000095367432 MEDIUM

A flaw was found in Django. A remote attacker could exploit a SQL injection vulnerability in the `.QuerySet.order_by()` method. This occurs when column aliases containing periods are used, and the same alias is also present in `FilteredRelation` via a specially crafted dictionary. Successful exploitation could lead to unauthorized information disclosure or arbitrary code execution within the database.

Risk Scores

CVSS 3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersions
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 8
Red HatRed Hat Ansible Automation Platform 2.6 for RHEL 10
Red HatRed Hat Ansible Automation Platform 2
Red HatRed Hat Satellite 6
Red HatRed Hat Satellite 6.16 for RHEL 9
Red HatRed Hat Ansible Automation Platform 2.6
djangoprojectDjango4.2, 4.2.28, 5.2.11
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 9
Red HatRed Hat Satellite 6.18
Red HatRed Hat OpenStack Platform 16.2
Red HatRed Hat OpenStack Platform 18.0
Red HatRed Hat Satellite 6.17 for RHEL 9
Red HatRed Hat Satellite 6.18 for RHEL 9
Red HatRed Hat Update Infrastructure 4 for Cloud Providers
Red HatRed Hat OpenStack Platform 17.1
Red HatRed Hat Ansible Automation Platform 2.5
Red HatRed Hat Ansible Automation Platform 2.6 for RHEL 9
Red HatRed Hat Discovery 2
Red HatRed Hat Satellite 6.16 for RHEL 8

Timeline

  • Feb 3, 2026 CVE Published
  • Feb 3, 2026 PoC Published
  • Feb 3, 2026 PoC Published
  • Feb 13, 2026 PoC Published
  • Jul 2, 2026 Distribution Patch
  • Jul 2, 2026 Distribution Patch
  • Jul 2, 2026 Distribution Patch
  • Jul 2, 2026 Distribution Patch
  • Jul 2, 2026 Distribution Patch
  • Jul 2, 2026 Distribution Patch
  • Jul 2, 2026 Distribution Patch
  • Jul 2, 2026 Distribution Patch
Open in Interactive Console →
$ Console Community · 100/wk Open console ›