CVE-2026-1207
Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-1207 NameCVE-2026-1207 DescriptionAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like toβ¦
CVE-2026-1207
| Name | CVE-2026-1207 |
| Description | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-4484-1, DSA-6150-1 |
| Debian Bugs | 1126914 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| python-django (PTS) | bullseye | 2:2.2.28-1~deb11u2 | vulnerable |
| bullseye (security) | 2:2.2.28-1~deb11u12 | fixed | |
| bookworm, bookworm (security) | 3:3.2.25-0+deb12u2 | fixed | |
| trixie (security), trixie | 3:4.2.28-0+deb13u1 | fixed | |
| forky | 3:4.2.30-1 | fixed | |
| sid | 3:5.2.15-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| python-django | source | bullseye | 2:2.2.28-1~deb11u12 | DLA-4484-1 | ||
| python-django | source | bookworm | 3:3.2.25-0+deb12u2 | DSA-6150-1 | ||
| python-django | source | trixie | 3:4.2.28-0+deb13u1 | DSA-6150-1 | ||
| python-django | source | (unstable) | 3:4.2.28-1 | 1126914 |
Notes
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Fixed by: https://github.com/django/django/commit/a14363102d98fa29b8cced578eb3a0fadaa5bcb7 (4.2.28)
Apply commands
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/Fixed by: https://github.com/django/django/commit/a14363102d98fa29b8cced578eb3a0fadaa5bcb7 (4.2.28)OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 3:4.2.28-0+deb13u1 |
| sid | Fixed | 3:4.2.28-1 |
| forky | Fixed | 3:4.2.28-1 |
| bullseye | Fixed | 2:2.2.28-1~deb11u12 |
| bookworm | Fixed | 3:3.2.25-0+deb12u2 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-1207
- https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8
- https://docs.djangoproject.com/en/dev/releases/security
- https://github.com/django/django
- https://groups.google.com/g/django-announce
- https://www.djangoproject.com/weblog/2026/feb/03/security-releases
- https://docs.djangoproject.com/en/dev/releases/security/
- https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
- https://www.suse.com/security/cve/CVE-2026-1207.html
- https://security-tracker.debian.org/tracker/CVE-2026-1207
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.