vulnerability
Red Hat: CVE-2025-64459: django: Django SQL injection (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Nov 5, 2025 | Dec 12, 2025 | Jan 27, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Nov 5, 2025
Added
Dec 12, 2025
Modified
Jan 27, 2026
Description
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Solutions
redhat-upgrade-ansible-builderredhat-upgrade-ansible-coreredhat-upgrade-ansible-creatorredhat-upgrade-ansible-dev-environmentredhat-upgrade-ansible-dev-toolsredhat-upgrade-ansible-dev-tools-serverredhat-upgrade-ansible-lintredhat-upgrade-ansible-navigatorredhat-upgrade-ansible-runnerredhat-upgrade-ansible-signredhat-upgrade-automation-controllerredhat-upgrade-automation-controller-cliredhat-upgrade-automation-controller-serverredhat-upgrade-automation-controller-uiredhat-upgrade-automation-controller-venv-towerredhat-upgrade-automation-eda-controllerredhat-upgrade-automation-eda-controller-baseredhat-upgrade-automation-eda-controller-base-servicesredhat-upgrade-automation-eda-controller-event-stream-servicesredhat-upgrade-automation-eda-controller-worker-servicesredhat-upgrade-automation-gatewayredhat-upgrade-automation-gateway-configredhat-upgrade-automation-gateway-serverredhat-upgrade-automation-hubredhat-upgrade-automation-platform-uiredhat-upgrade-bindepredhat-upgrade-moleculeredhat-upgrade-python-lazy-object-proxy-debugsourceredhat-upgrade-python-markupsafe-debugsourceredhat-upgrade-python-onigurumacffi-debugsourceredhat-upgrade-python-rpds-py-debugsourceredhat-upgrade-python-ruamel-yaml-clib-debugsourceredhat-upgrade-python3-11-ansible-compatredhat-upgrade-python3-11-distlibredhat-upgrade-python3-11-djangoredhat-upgrade-python3-11-django-ansible-baseredhat-upgrade-python3-11-django-ansible-base-activitystreamredhat-upgrade-python3-11-django-ansible-base-api_documentationredhat-upgrade-python3-11-django-ansible-base-authenticationredhat-upgrade-python3-11-django-ansible-base-channel_authredhat-upgrade-python3-11-django-ansible-base-feature_flagsredhat-upgrade-python3-11-django-ansible-base-jwt_consumerredhat-upgrade-python3-11-django-ansible-base-oauth2_providerredhat-upgrade-python3-11-django-ansible-base-rbacredhat-upgrade-python3-11-django-ansible-base-redis_clientredhat-upgrade-python3-11-django-ansible-base-resource_registryredhat-upgrade-python3-11-django-ansible-base-rest_filtersredhat-upgrade-python3-11-execnetredhat-upgrade-python3-11-galaxy-importerredhat-upgrade-python3-11-galaxy-ngredhat-upgrade-python3-11-gunicornredhat-upgrade-python3-11-pluggyredhat-upgrade-python3-11-pytestredhat-upgrade-python3-11-pytest-ansibleredhat-upgrade-python3-11-pytest-xdistredhat-upgrade-python3-11-ruamel-yaml-clibredhat-upgrade-python3-11-ruamel-yaml-clib-debuginforedhat-upgrade-python3-11-ruamel-yaml-clib-debugsourceredhat-upgrade-python3-11-subprocess-teeredhat-upgrade-python3-11-tox-ansibleredhat-upgrade-python3-11-typing-extensionsredhat-upgrade-python3-ansible-compatredhat-upgrade-python3-ansible-runnerredhat-upgrade-python3-asgirefredhat-upgrade-python3-blackredhat-upgrade-python3-bracexredhat-upgrade-python3-cachetoolsredhat-upgrade-python3-chardetredhat-upgrade-python3-clickredhat-upgrade-python3-click-help-colorsredhat-upgrade-python3-coloramaredhat-upgrade-python3-commonmarkredhat-upgrade-python3-daemonredhat-upgrade-python3-distlibredhat-upgrade-python3-djangoredhat-upgrade-python3-enrichredhat-upgrade-python3-execnetredhat-upgrade-python3-filelockredhat-upgrade-python3-gnupgredhat-upgrade-python3-gunicornredhat-upgrade-python3-iniconfigredhat-upgrade-python3-isodateredhat-upgrade-python3-jsonschemaredhat-upgrade-python3-jsonschema-pathredhat-upgrade-python3-jsonschema-specificationsredhat-upgrade-python3-lazy-object-proxyredhat-upgrade-python3-lazy-object-proxy-debuginforedhat-upgrade-python3-lockfileredhat-upgrade-python3-markupsaferedhat-upgrade-python3-markupsafe-debuginforedhat-upgrade-python3-more-itertoolsredhat-upgrade-python3-mypy-extensionsredhat-upgrade-python3-onigurumacffiredhat-upgrade-python3-onigurumacffi-debuginforedhat-upgrade-python3-openapi-coreredhat-upgrade-python3-openapi-schema-validatorredhat-upgrade-python3-openapi-spec-validatorredhat-upgrade-python3-parseredhat-upgrade-python3-parsleyredhat-upgrade-python3-pathableredhat-upgrade-python3-pathspecredhat-upgrade-python3-pbrredhat-upgrade-python3-platformdirsredhat-upgrade-python3-pluggyredhat-upgrade-python3-pygmentsredhat-upgrade-python3-pyproject-apiredhat-upgrade-python3-pytestredhat-upgrade-python3-pytest-ansibleredhat-upgrade-python3-pytest-plusredhat-upgrade-python3-pytest-sugarredhat-upgrade-python3-pytest-xdistredhat-upgrade-python3-referencingredhat-upgrade-python3-rfc3339-validatorredhat-upgrade-python3-richredhat-upgrade-python3-rpds-pyredhat-upgrade-python3-rpds-py-debuginforedhat-upgrade-python3-ruamel-yamlredhat-upgrade-python3-ruamel-yaml-clibredhat-upgrade-python3-ruamel-yaml-clib-debuginforedhat-upgrade-python3-setuptools-wheelredhat-upgrade-python3-sqlparseredhat-upgrade-python3-subprocess-teeredhat-upgrade-python3-termcolorredhat-upgrade-python3-tox-ansibleredhat-upgrade-python3-typing-extensionsredhat-upgrade-python3-virtualenvredhat-upgrade-python3-wcmatchredhat-upgrade-python3-werkzeugredhat-upgrade-python3-wheel-wheelredhat-upgrade-receptorredhat-upgrade-receptor-debuginforedhat-upgrade-receptor-debugsourceredhat-upgrade-receptorctlredhat-upgrade-toxredhat-upgrade-yamllint
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.