{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T09:59:25.557","vulnerabilities":[{"cve":{"id":"CVE-2025-64459","sourceIdentifier":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","published":"2025-11-05T15:15:41.080","lastModified":"2025-11-10T18:25:59.883","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue."},{"lang":"es","value":"Se descubrió un problema en 5.1 anterior a 5.1.14, 4.2 anterior a 4.2.26 y 5.2 anterior a 5.2.8. Los métodos 'QuerySet.filter()', 'QuerySet.exclude()' y 'QuerySet.get()', y la clase 'Q()', están sujetos a inyección SQL cuando se utiliza un diccionario adecuadamente diseñado, con expansión de diccionario, como argumento '_connector'. Series anteriores de Django sin soporte (como 5.0.x, 4.1.x y 3.2.x) no fueron evaluadas y también pueden verse afectadas. Django desea agradecer a cyberstan por informar de este problema."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"4.2.26","matchCriteriaId":"5FC7EBE0-A60A-4083-9FB7-E4ADCD2B5F37"},{"vulnerable":true,"criteria":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"5.1.14","matchCriteriaId":"9F3A5471-02DB-428E-815E-516057A901FF"},{"vulnerable":true,"criteria":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.2.8","matchCriteriaId":"F56E9016-F93A-4DAE-8070-D3A4909F00A4"}]}]}],"references":[{"url":"https://docs.djangoproject.com/en/dev/releases/security/","source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":["Vendor Advisory"]},{"url":"https://groups.google.com/g/django-announce","source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":["Mailing List"]},{"url":"https://www.djangoproject.com/weblog/2025/nov/05/security-releases/","source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":["Vendor Advisory"]},{"url":"https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]}]}}]}