An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| Django(PyPI) | 0 | 4.2.24 | N/A |
| Django(PyPI) | 5.0a1 | 5.1.12 | N/A |
| Django(PyPI) | 5.2a1 | 5.2.6 | N/A |
CVSS Metrics
