CVE-2026-1207
MediumCVSS 5.4Exploitation Probability (EPSS)
Very high risk95th percentile - higher than 95% of all known CVEs
Summary
In Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, a vulnerability was found in raster lookups on RasterField (PostGIS only). Remote attackers can inject SQL via the band index parameter.
Risk Assessment
The organization is at risk of unauthorized database access, data leakage or modification, and potential compromise of the database system.
Recommendation
Upgrade Django immediately to version 6.0.2, 5.2.11, or 4.2.28 depending on your series. If not possible, temporarily disable RasterField functionality or restrict access to it.
Original NVD description (English source)
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

