VDB
DEBIAN-CVE-2025-13372
DEBIAN-CVE-2025-13372
PUBLISHED
CVSS 4.300000190734863 MEDIUM
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
Risk Scores
CVSS 3.1
4.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | python-django | 3.2.19-1, 3.2.19-1, 3.2.19-1 |
| Debian:13 | python-django | 0, 3:4.2.23-1, 3:4.2.24-1 |
| Debian:14 | python-django | 4.2.26-1, 4.2.25-2, 4.2.25-1 |
Exploit Intelligence
- ghost_report_20260112_192608.json (github-poc)
- ghost_report_20260112_175243.json (github-poc)
- ghost_report_20260112_182220.json (github-poc)
Timeline
- Dec 2, 2025 CVE Published
- Apr 28, 2026 CVE Updated