Rapid7

vulnerability

FreeBSD: VID-0db46f84-b9fa-11ec-89df-080027240888 (CVE-2022-28347): Django -- multiple vulnerabilities

Try Surface Command
Back to search
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Apr 12, 2022
Added
Nov 4, 2022
Modified
Jun 15, 2026

Description

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

Solutions

freebsd-upgrade-package-py37-django22freebsd-upgrade-package-py38-django22freebsd-upgrade-package-py39-django22freebsd-upgrade-package-py310-django22freebsd-upgrade-package-py37-django32freebsd-upgrade-package-py38-django32freebsd-upgrade-package-py39-django32freebsd-upgrade-package-py310-django32freebsd-upgrade-package-py38-django40freebsd-upgrade-package-py39-django40freebsd-upgrade-package-py310-django40

References

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report