Headline
GHSA-rqw2-ghq9-44m7: Django is vulnerable to SQL injection in column aliases
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-13372
Django is vulnerable to SQL injection in column aliases
Moderate severity GitHub Reviewed Published Dec 2, 2025 to the GitHub Advisory Database • Updated Dec 3, 2025
Affected versions
>= 5.2a1, < 5.2.9
>= 5.1a1, < 5.1.15
>= 4.2a1, < 4.2.27
Patched versions
5.2.9
5.1.15
4.2.27
Description
Published to the GitHub Advisory Database
Dec 2, 2025
EPSS score