The Django Software Foundation has issued emergency security patches addressing six critical vulnerabilities affecting multiple versions of the popular Python web framework.
Released on February 3, 2026, the updates fix severe flaws that could enable attackers to execute SQL injection attacks, cause denial-of-service conditions, and enumerate user accounts.
Django is a widely used open-source Python web framework that powers major platforms, including Instagram, Mozilla, and Bitbucket.
The framework emphasizes rapid development and follows the Model-Template-View architectural pattern, making it popular for building database-driven websites.
The security releases include Django 6.0.2, 5.2.11, and 4.2.28, targeting all currently supported versions.
Three vulnerabilities carry “high” severity ratings according to Django’s security policy, while two are rated “moderate” and one “low.”
The Django team strongly encourages all users to upgrade immediately to prevent potential exploitation.
Critical SQL Injection Vulnerabilities
Three high-severity SQL injection flaws were discovered in Django’s database handling mechanisms.
CVE-2026-1207 affects raster lookups on GIS fields implemented on PostGIS, allowing attackers to inject malicious SQL code when untrusted data is used as a band index.
| CVE ID | Vulnerability Type | Severity | Affected Component | CVSS Score |
|---|---|---|---|---|
| CVE-2025-13473 | Username Enumeration via Timing Attack | Low | mod_wsgi Authentication Handler | N/A |
| CVE-2025-14550 | Denial-of-Service via Duplicate Headers | Moderate | ASGI Request Handler | N/A |
| CVE-2026-1207 | SQL Injection via Raster Lookups | High | PostGIS GIS Fields | N/A |
| CVE-2026-1285 | Denial-of-Service in HTML Truncation | Moderate | django.utils.text.Truncator | N/A |
| CVE-2026-1287 | SQL Injection in Column Aliases | High | FilteredRelation QuerySet | N/A |
| CVE-2026-1312 | SQL Injection via order_by() | High | QuerySet.order_by() | N/A |
PostGIS raster functionality enables the storage and querying of spatial raster data in PostgreSQL databases.
CVE-2026-1287 enables SQL injection through column aliases via control characters when using FilteredRelation with crafted dictionaries passed to QuerySet methods, including annotate(), aggregate(), and values().
Additionally, CVE-2026-1312 allows SQL injection via QuerySet.order_by() when column aliases containing periods are combined with FilteredRelation operations.
Two moderate-severity denial-of-service vulnerabilities were patched in the latest releases. CVE-2025-14550 affects Django’s ASGI implementation, which handles asynchronous web requests.
Attackers can exploit how ASGIRequest processes duplicate HTTP headers, causing super-linear computation through repeated string concatenation that degrades service performance.
While less severe, this vulnerability could facilitate targeted credential-stuffing attacks against Django applications using mod_wsgi authentication.
All Django versions, including the main development branch, 6.0, 5.2, and 4.2 series, are affected by these vulnerabilities.
The Django Software Foundation has released patches across all supported branches, with specific GitHub commits available for each vulnerability.
System administrators should immediately upgrade to the patched versions and verify that all untrusted user input is sanitized adequately before database operations.
Organizations using Django in production environments should prioritize patching the high-severity SQL injection vulnerabilities, particularly if applications utilize PostGIS functionality or FilteredRelation queries.
The denial-of-service vulnerabilities affecting ASGI deployments require urgent attention for high-traffic applications that could be targeted for disruption.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.