An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
"}],"value":"An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue."}],"impacts":[{"capecId":"CAPEC-66","descriptions":[{"lang":"en","value":"CAPEC-66 SQL Injection"}]}],"metrics":[{"other":{"content":{"namespace":"https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels","value":"high"},"type":"Django severity rating"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","shortName":"DSF","dateUpdated":"2025-11-05T15:09:58.239Z"},"references":[{"name":"Django security archive","tags":["vendor-advisory"],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"name":"Django releases announcements","tags":["mailing-list"],"url":"https://groups.google.com/g/django-announce"},{"name":"Django security releases issued: 5.2.8, 5.1.14, and 4.2.26","tags":["vendor-advisory"],"url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases/"}],"source":{"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2025-10-20T00:00:00.000Z","value":"Initial report received."},{"lang":"en","time":"2025-10-20T00:00:00.000Z","value":"Vulnerability confirmed."},{"lang":"en","time":"2025-11-05T14:00:00.000Z","value":"Security release issued."}],"title":"Potential SQL injection via _connector keyword argument in QuerySet and Q objects","x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.1,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-64459","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-11-06T04:55:36.221321Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T17:47:16.519Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-08T12:49:45.129Z"},"references":[{"url":"https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html"}],"title":"CVE Program Container","x_generator":{"engine":"ADPogram 0.0.1"}}]}}