VDB

DEBIAN-CVE-2025-13372

DEBIAN-CVE-2025-13372 PUBLISHED CVSS 4.300000190734863 MEDIUM

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Risk Scores

CVSS 3.1
4.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Affected Products

VendorProductVersions
Debian:12python-django3.2.19-1, 3.2.19-1, 3.2.19-1
Debian:13python-django0, 3:4.2.23-1, 3:4.2.24-1
Debian:14python-django4.2.26-1, 4.2.25-2, 4.2.25-1

Timeline

  • Dec 2, 2025 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›