VDB
DEBIAN-CVE-2026-1207
DEBIAN-CVE-2026-1207
PUBLISHED
CVSS 5.400000095367432 MEDIUM
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Risk Scores
CVSS 3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | python-django | 3:4.2.23-1, 3:4.2.24-1, 3:4.2.25-2 |
| Debian:14 | python-django | 3:4.2.23-1, 3:4.2.26-1, 3:4.2.27-2 |
| Debian:12 | python-django | 0, 3:3.2.19-1, 3:3.2.19-1+deb12u1~bpo11+1 |
| Debian:11 | python-django | *, 2:2.2.24-1, 2:2.2.26-1~deb11u1 |
Exploit Intelligence
- Django 框架在使用 PostGIS 查询地理栅格(raster)数据时,若将未经验证的用户输入直接作为 band index(波段索引)参数,会引发 SQL 注入 (github-poc-repo)
- Django 框架在使用 PostGIS 查询地理栅格(raster)数据时,若将未经验证的用户输入直接作为 band index(波段索引)参数,会引发 SQL 注入 (github-poc)
- CVE-2026-1207.yaml (github-poc)
- CVE-2026-1207.yml (github-poc)
- patch_comparison.py (github-poc)
- Nuclei Template: CVE-2026-1207 (nuclei-template)
Timeline
- Feb 3, 2026 CVE Published
- Apr 28, 2026 CVE Updated