This update for python-Django fixes the following issues:
- CVE-2026-1312: Fixed potential SQL injection via QuerySet.order_by and
FilteredRelation (bsc#1257408).
- CVE-2026-1287: Fixed potential SQL injection in column aliases via
control characters (bsc#1257407).
- CVE-2026-1207: Fixed potential SQL injection via raster lookups on
PostGIS (bsc#1257405).
- CVE-2026-1285: Fixed potential denial-of-service in
django.utils.text.Truncator HTML methods (bsc#1257406).
- CVE-2025-13473: Fixed username enumeration through timing difference in
mod_wsgi authentication handler (bsc#1257401).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP6:
zypper in -t patch openSUSE-2026-37=1
- openSUSE Backports SLE-15-SP6 (noarch):
python3-Django-2.2.28-bp156.30.1
https://www.suse.com/security/cve/CVE-2025-13473.html
https://www.suse.com/security/cve/CVE-2026-1207.html
https://www.suse.com/security/cve/CVE-2026-1285.html
https://www.suse.com/security/cve/CVE-2026-1287.html
https://www.suse.com/security/cve/CVE-2026-1312.html
https://bugzilla.suse.com/1257401
https://bugzilla.suse.com/1257405
https://bugzilla.suse.com/1257406
https://bugzilla.suse.com/1257407
https://bugzilla.suse.com/1257408
Get the latest Linux and open source security news straight to your inbox.