{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T17:27:08.368","vulnerabilities":[{"cve":{"id":"CVE-2026-1287","sourceIdentifier":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","published":"2026-02-03T15:16:13.703","lastModified":"2026-02-04T17:35:11.553","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Solomon Kebede for reporting this issue."},{"lang":"es","value":"Se descubrió un problema en 6.0 anterior a 6.0.2, 5.2 anterior a 5.2.11 y 4.2 anterior a 4.2.28.\n'FilteredRelation' está sujeta a inyección SQL en alias de columna mediante caracteres de control, utilizando un diccionario adecuadamente elaborado, con expansión de diccionario, como los '**kwargs' pasados a los métodos de 'QuerySet' 'annotate()', 'aggregate()', 'extra()', 'values()', 'values_list()' y 'alias()'.\nSeries de Django anteriores y no compatibles (como 5.0.x, 4.1.x y 3.2.x) no fueron evaluadas y también pueden estar afectadas.\nDjango desea agradecer a Solomon Kebede por informar sobre este problema."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"4.2.28","matchCriteriaId":"59566A1F-D2C5-43D6-97AA-258EFD90B937"},{"vulnerable":true,"criteria":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.2.11","matchCriteriaId":"845BC013-1341-4D81-A5F1-507C814ABA7E"},{"vulnerable":true,"criteria":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.0.2","matchCriteriaId":"4ACBCB7B-B8F4-4EEF-842D-0CCB8674BCD2"}]}]}],"references":[{"url":"https://docs.djangoproject.com/en/dev/releases/security/","source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":["Vendor Advisory","Patch"]},{"url":"https://groups.google.com/g/django-announce","source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":["Release Notes"]},{"url":"https://www.djangoproject.com/weblog/2026/feb/03/security-releases/","source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":["Patch","Vendor Advisory"]}]}}]}