Django has released security patches for versions 6.0.2, 5.2.11, and 4.2.28 addressing six vulnerabilities. Three high-severity SQL injection issues affect raster lookups on PostGIS, column aliases via control characters, and QuerySet.order_by with FilteredRelation. Two moderate-severity denial-of-service vulnerabilities impact
Table of contents
CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handlerCVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGICVE-2026-1207: Potential SQL injection via raster lookups on PostGISCVE-2026-1285: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methodsCVE-2026-1287: Potential SQL injection in column aliases via control charactersCVE-2026-1312: Potential SQL injection via QuerySet.order_by and FilteredRelationAffected supported versionsResolutionThe following releases have been issuedGeneral notes regarding security reportingSort: