CVE-2026-1312

Gravedad:

Pendiente de análisis

Tipo:

CWE-89 Neutralización incorrecta de elementos especiales usados en un comando SQL (Inyección SQL)

Fecha de publicación:

03/02/2026

Última modificación:

03/02/2026

Descripción

*** Pendiente de traducción *** An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.<br /> `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`.<br /> Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.<br /> Django would like to thank Solomon Kebede for reporting this issue.

Impacto

Referencias a soluciones, herramientas e información

https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/