VDB
DEBIAN-CVE-2025-64459
DEBIAN-CVE-2025-64459
PUBLISHED
CVSS 9.100000381469727 CRITICAL
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
Risk Scores
CVSS 3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | python-django | 0, 0, 4.2.23-1 |
| Debian:12 | python-django | 3:3.2.21-1, 3:3.2.20-1, 0 |
| Debian:11 | python-django | *, 2.2.24-1, 2.2.25-1 |
| Debian:13 | python-django | 4.2.26-1, 4.2.25-2, 4.2.25-1 |
Exploit Intelligence
- rockmelodies/django_sqli_target_CVE-2025-64459 (github-poc)
- alxsourin/Helpdesk-Telecom-CVE-2025-64459 (github-poc-repo)
- CVE-2025-64459-hunter (github-poc-repo)
- demo application showing off SQL Injection exploit in django 5.2.7 (github-poc-repo)
- demo application showing off SQL Injection exploit in django 5.2.7 (github-poc)
- CVE-2025-64459-hunter (github-poc)
- alxsourin/Helpdesk-Telecom-CVE-2025-64459 (github-poc)
- Z3YR0xX/CVE-2025-64459 (github-poc)
- Vulnerability: SQL Injection via QuerySet and Q() keyword argument unpacking. CVE ID: CVE-2025-64459 Severity: Critical (CVSS 9.1) Affected Versions: Django 5.1 < 5.1.14, 4.2 < 4.2.26, and 5.2 < 5.2.8. Researcher: Cyberstan (University of Warwick) (github-poc)
- A self-contained testbed for Django CVE-2025-64459. Demonstrates QuerySet.filter() parameter injection via dictionary expansion using Docker. (github-poc)
…and 6 more exploits
Timeline
- Nov 5, 2025 CVE Published
- Apr 28, 2026 CVE Updated