- - CVE-2025-13473: The check_password function in
django.contrib.auth.handlers.modwsgi for authentication via
mod_wsgi allowed remote attackers to enumerate users via a timing
attack.
- - CVE-2026-1207: Raster lookups on RasterField (only implemented on
PostGIS) allowed remote attackers to inject SQL via the band index
parameter.
- - CVE-2026-1285: The django.utils.text.Truncator.chars() and
Truncator.words() methods (with html=True) and the
truncatechars_html and truncatewords_html template filters allowed
a remote attacker to cause a potential denial-of-service via
crafted inputs containing a large number of unmatched HTML end
tags.
- - CVE-2026-1287: FilteredRelation was subject to SQL injection in
column aliases via control characters using a suitably crafted
dictionary, with dictionary expansion, as the **kwargs passed to
QuerySet methods annotate(), aggregate(), extra(), values(),
values_list() and alias().
Get the latest Linux and open source security news straight to your inbox.