Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Django Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2026-1312 - Vulnerability Database
Django

Django Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2026-1312

Medium
Reference: CVE-2026-1312
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-1312
Title: Django Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability
Overview:

An issue was discovered in 6.0 before 6.0.2 5.2 before 5.2.11 and 4.2 before 4.2.28. .QuerySet.order_by() is subject to SQL injection in column aliases containing periods when the same alias is using a suitably crafted dictionary with dictionary expansion used in FilteredRelation. Earlier unsupported Django series (such as 5.0.x 4.1.x and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.