BIT-django-2025-59681

BIT-django-2025-59681 PUBLISHED CVSS 9.800000190734863 CRITICAL

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Risk Scores

CVSS 3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Bitnami	django	4.2.0, 5.1.0, 5.2.0

Timeline

Oct 8, 2025 CVE Published
Apr 21, 2026 CVE Updated

References

https://docs.djangoproject.com/en/dev/releases/security/ url
https://groups.google.com/g/django-announce url
https://nvd.nist.gov/vuln/detail/CVE-2025-59681 url
https://www.djangoproject.com/weblog/2025/oct/01/security-releases/ url
http://www.openwall.com/lists/oss-security/2025/10/01/3 url

Open in Interactive Console →