Fedora 42 python-django5 Critical SQL Injection DoS Fixes 2026-00b5bf3150
fedora
February 28, 2026
Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated...
Summary
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.
Update Information:
Fixes CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler Fixes CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI Fixes CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS Fixes CVE-2026-1285: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods Fixes CVE-2026-1287: Potential SQL injection in column aliases via control characters Fixes CVE-2026-1312: Potential SQL injection via QuerySet.order_by and FilteredRelation Fixed a bug in Django 5.2 where data exceeding max_length was silently truncated by QuerySet.bulk_create() on PostgreSQL Fixed a bug where management command colorized help (introduced in Python 3.14) ignored the --no-color option and the DJANGO_COLORS setting
Topics Covered
Change Log
* Thu Feb 19 2026 Michel Lind
References
[ 1 ] Bug #2427483 - python-django5-5.2.11 is available https://bugzilla.redhat.com/show_bug.cgi?id=2427483 [ 2 ] Bug #2436695 - CVE-2025-14550 python-django5: Django: Denial of Service via crafted request with duplicate headers [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2436695 [ 3 ] Bug #2436699 - CVE-2026-1312 python-django5: Django: SQL injection via crafted column aliases in QuerySet.order_by() [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2436699 [ 4 ] Bug #2436709 - CVE-2026-1285 python-django5: Django: Denial of Service via crafted HTML inputs [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2436709 [ 5 ] Bug #2436714 - CVE-2026-1287 python-django5: Django: SQL Injection via crafted column aliases [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2436714 [ 6 ] Bug #2436716 - CVE-2026-1207 python-django5: Django: SQL Injection via RasterField band index parameter [fedora-42] ...
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-00b5bf3150' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Name: python-django5
Product: Fedora 42
Version: 5.2.11
Release: 1.fc42
Summary: A high-level Python Web framework
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!