{"id":"GHSA-mwm9-4648-f68q","summary":"Django has an SQL Injection issue","details":"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\n\nDjango would like to thank Tarek Nakkouch for reporting this issue.","aliases":["BIT-django-2026-1207","CVE-2026-1207"],"modified":"2026-02-05T10:26:06.774055Z","published":"2026-02-03T15:30:23Z","related":["CGA-5q4r-x59p-qcwc"],"database_specific":{"severity":"HIGH","nvd_published_at":"2026-02-03T15:16:13Z","github_reviewed":true,"github_reviewed_at":"2026-02-03T19:32:56Z","cwe_ids":["CWE-89"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1207"},{"type":"WEB","url":"https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8"},{"type":"WEB","url":"https://docs.djangoproject.com/en/dev/releases/security"},{"type":"PACKAGE","url":"https://github.com/django/django"},{"type":"WEB","url":"https://groups.google.com/g/django-announce"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.0a1"},{"fixed":"6.0.2"}]}],"versions":["6.0","6.0.1","6.0a1","6.0b1","6.0rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-mwm9-4648-f68q/GHSA-mwm9-4648-f68q.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.2a1"},{"fixed":"5.2.11"}]}],"versions":["5.2","5.2.1","5.2.10","5.2.2","5.2.3","5.2.4","5.2.5","5.2.6","5.2.7","5.2.8","5.2.9","5.2a1","5.2b1","5.2rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-mwm9-4648-f68q/GHSA-mwm9-4648-f68q.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.2a1"},{"fixed":"4.2.28"}]}],"versions":["4.2","4.2.1","4.2.10","4.2.11","4.2.12","4.2.13","4.2.14","4.2.15","4.2.16","4.2.17","4.2.18","4.2.19","4.2.2","4.2.20","4.2.21","4.2.22","4.2.23","4.2.24","4.2.25","4.2.26","4.2.27","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2.8","4.2.9","4.2a1","4.2b1","4.2rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-mwm9-4648-f68q/GHSA-mwm9-4648-f68q.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"}]}