Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAL4K_NYNw40P9sNF7sz5TfP1m3fkc8d0=pXG0AKX-QXc5yQpCg@mail.gmail.com>
Date: Tue, 3 Feb 2026 09:42:43 -0500
From: Jacob Walls <jwalls@...ngoproject.com>
To: oss-security@...ts.openwall.com
Cc: Django Security Team <security@...ngoproject.com>
Subject: Django CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285,
 CVE-2026-1287, and CVE-2026-1312

* Announce:
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/

* CVE JSON Record for CVE-2025-13473:
https://www.cve.org/CVERecord?id=CVE-2025-13473

* CVE JSON Record for CVE-2025-14550:
https://www.cve.org/CVERecord?id=CVE-2025-14550

* CVE JSON Record for CVE-2026-1207:
https://www.cve.org/CVERecord?id=CVE-2026-1207

* CVE JSON Record for CVE-2026-1285:
https://www.cve.org/CVERecord?id=CVE-2026-1285

* CVE JSON Record for CVE-2026-1287:
https://www.cve.org/CVERecord?id=CVE-2026-1287

* CVE JSON Record for CVE-2026-1312:
https://www.cve.org/CVERecord?id=CVE-2026-1312

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django
team
is issuing releases for
`Django 6.0.2 <https://docs.djangoproject.com/en/dev/releases/6.0.2/>`_,
`Django 5.2.11 <https://docs.djangoproject.com/en/dev/releases/5.2.11/>`_,
and
`Django 4.2.28 <https://docs.djangoproject.com/en/dev/releases/4.2.28/>`_.
These releases address the security issues detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2025-13473: Username enumeration through timing difference in mod_wsgi
authentication handler
=================================================================================================

The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for
authentication via ``mod_wsgi`` allowed remote attackers to enumerate users
via a timing attack.

Thanks to Stackered for the report.

This issue has severity "low" according to the Django security policy.

CVE-2025-14550: Potential denial-of-service vulnerability via repeated
headers when using ASGI
==============================================================================================

When receiving duplicates of a single header, ``ASGIRequest`` allowed a
remote attacker to cause a potential denial-of-service via a specifically
created request with multiple duplicate headers. The vulnerability resulted
from repeated string concatenation while combining repeated headers, which
produced super-linear computation resulting in service degradation or
outage.

Thanks to Jiyong Yang for the report.

This issue has severity "moderate" according to the Django security policy.

CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
====================================================================

Raster lookups on GIS fields (only implemented on PostGIS) were subject to
SQL injection if untrusted data was used as a band index.

As a reminder, all untrusted user input should be validated before use.

Thanks to Tarek Nakkouch for the report.

This issue has severity "high" according to the Django security policy.

CVE-2026-1285: Potential denial-of-service vulnerability in
``django.utils.text.Truncator`` HTML methods
========================================================================================================

``django.utils.text.Truncator.chars()`` and ``Truncator.words()`` methods
(with ``html=True``) and ``truncatechars_html`` and ``truncatewords_html``
template filters were subject to a potential denial-of-service attack via
certain inputs with a large number of unmatched HTML end tags, which could
cause quadratic time complexity during HTML parsing.

Thanks to Seokchan Yoon for the report.

This issue has severity "moderate" according to the Django security policy.

CVE-2026-1287: Potential SQL injection in column aliases via control
characters
===============================================================================

``FilteredRelation`` was subject to SQL injection in column aliases via
control characters, using a suitably crafted dictionary, with dictionary
expansion, as the ``**kwargs`` passed to ``QuerySet`` methods
``annotate()``, ``aggregate()``, ``extra()``, ``values()``,
``values_list()``, and ``alias()``.

Thanks to Solomon Kebede for the report.

This issue has severity "high" according to the Django security policy.

CVE-2026-1312: Potential SQL injection via ``QuerySet.order_by`` and
``FilteredRelation``
=========================================================================================

``QuerySet.order_by()`` was subject to SQL injection in column aliases
containing periods when the same alias was, using a suitably crafted
dictionary, with dictionary expansion, used in ``FilteredRelation``.

Thanks to Solomon Kebede for the report.

This issue has severity "high" according to the Django security policy.


Affected supported versions
===========================

* Django main
* Django 6.0
* Django 5.2
* Django 4.2

Resolution
==========

Patches to resolve the issue have been applied to Django's
main, 6.0, 5.2, and 4.2 branches.
The patches may be obtained from the following changesets.

CVE-2025-13473: Username enumeration through timing difference in mod_wsgi
authentication handler
-------------------------------------------------------------------------------------------------

* On the `main branch <
https://github.com/django/django/commit/3eb814e02a4c336866d4189fa0c24fd1875863ed
>`__
* On the `6.0 branch <
https://github.com/django/django/commit/d72cc3be3be0bbebdcaea5a8c8106b4d6f2a32bd
>`__
* On the `5.2 branch <
https://github.com/django/django/commit/184e38ab0a061c365f5775676a074796d8abd02f
>`__
* On the `4.2 branch <
https://github.com/django/django/commit/6dc23508f3395e1254c315084c7334ef81c4c09a
>`__

CVE-2025-14550: Potential denial-of-service vulnerability via repeated
headers when using ASGI
----------------------------------------------------------------------------------------------

* On the `main branch <
https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb
>`__
* On the `6.0 branch <
https://github.com/django/django/commit/972dbdd4f7f69e9c405e6fe12a1b90e4713c1611
>`__
* On the `5.2 branch <
https://github.com/django/django/commit/1ba90069c12836db46981bdf75b0e661db5849ce
>`__
* On the `4.2 branch <
https://github.com/django/django/commit/f578acc8c54530fffabd52d2db654c8669b011af
>`__

CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
--------------------------------------------------------------------

* On the `main branch <
https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8
>`__
* On the `6.0 branch <
https://github.com/django/django/commit/8f77e7301174834573614ae90e1826fdf27f8a24
>`__
* On the `5.2 branch <
https://github.com/django/django/commit/17a1d64a58ef24c0c3b78d66d86f5415075f18f0
>`__
* On the `4.2 branch <
https://github.com/django/django/commit/a14363102d98fa29b8cced578eb3a0fadaa5bcb7
>`__

CVE-2026-1285: Potential denial-of-service vulnerability in
``django.utils.text.Truncator`` HTML methods
--------------------------------------------------------------------------------------------------------

* On the `main branch <
https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344
>`__
* On the `6.0 branch <
https://github.com/django/django/commit/4b86ba51e486530db982341a23e53c7a1e1e6e71
>`__
* On the `5.2 branch <
https://github.com/django/django/commit/9f2ada875bbee62ac46032e38ddb22755d67ae5a
>`__
* On the `4.2 branch <
https://github.com/django/django/commit/b40cfc6052ced26dcd8166a58ea6f841d0d2cac8
>`__

CVE-2026-1287: Potential SQL injection in column aliases via control
characters
-------------------------------------------------------------------------------

* On the `main branch <
https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22
>`__
* On the `6.0 branch <
https://github.com/django/django/commit/0c0f5c2178c01ada5410cd53b4b207bf7858b952
>`__
* On the `5.2 branch <
https://github.com/django/django/commit/3e68ccdc11c127758745ddf0b4954990b14892bc
>`__
* On the `4.2 branch <
https://github.com/django/django/commit/f75f8f3597e1ce351d5ac08b6ba7ebd9dadd9b5d
>`__

CVE-2026-1312: Potential SQL injection via ``QuerySet.order_by`` and
``FilteredRelation``
-----------------------------------------------------------------------------------------

* On the `main branch <
https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf222
>`__
* On the `6.0 branch <
https://github.com/django/django/commit/15e70cb83e6f7a9a2a2f651f30b28b5cb20febeb
>`__
* On the `5.2 branch <
https://github.com/django/django/commit/e863ee273c6553e9b6fa4960a17acb535851857b
>`__
* On the `4.2 branch <
https://github.com/django/django/commit/90f5b10784ba5bf369caed87640e2b4394ea3314
>`__


The following releases have been issued
=======================================

* Django 6.0.2 (`download Django 6.0.2
  <https://www.djangoproject.com/download/6.0.2/tarball/>`_ |
  `6.0.2 checksums
  <https://www.djangoproject.com/download/6.0.2/checksum/>`_)
* Django 5.2.11 (`download Django 5.2.11
  <https://www.djangoproject.com/download/5.2.11/tarball/>`_ |
  `5.2.11 checksums
  <https://www.djangoproject.com/download/5.2.11/checksum/>`_)
* Django 4.2.28 (`download Django 4.2.28
  <https://www.djangoproject.com/download/4.2.28/tarball/>`_ |
  `4.2.28 checksums
  <https://www.djangoproject.com/download/4.2.28/checksum/>`_)

The PGP key ID used for this release is Jacob Walls: `131403F4D16D8DC7 <
https://github.com/jacobtylerwalls.gpg>`_


General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via private
email
to ``security@...ngoproject.com``, and not via Django's Trac instance, nor
via
the Django Forum. Please see `our security policies
<https://www.djangoproject.com/security/>`_ for further information.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.