CVE Catalog

CVE-2026-1207

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
9.44%

95th percentile - higher than 95% of all known CVEs

Summary

In Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, a vulnerability was found in raster lookups on RasterField (PostGIS only). Remote attackers can inject SQL via the band index parameter.

Risk Assessment

The organization is at risk of unauthorized database access, data leakage or modification, and potential compromise of the database system.

Recommendation

Upgrade Django immediately to version 6.0.2, 5.2.11, or 4.2.28 depending on your series. If not possible, temporarily disable RasterField functionality or restrict access to it.

Original NVD description (English source)

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS