CVE-2026-1312 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2026-1312 Interim 1 1 2026-03-05T00:19:33Z current 2026-03-05T00:19:33Z 2026-03-05T00:19:33Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2026-1312 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2026-February/024108.html E-Mail link for SUSE-SU-2026:0440-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Package Hub 15 SP7 SUSE Package Hub 15 SP6 openSUSE Leap 15.6 openSUSE Leap 16.0 openSUSE Tumbleweed python3-Django-2.2.28-bp156.30.1 python311-Django-4.2.11-150600.3.47.1 python311-Django-5.2.11-1.1 python311-Django4-4.2.28-1.1 python312-Django-5.2.11-1.1 python312-Django4-4.2.28-1.1 python312-Django6-6.0.2-1.1 python313-Django-5.2.11-1.1 python313-Django-5.2.4-bp160.5.1 python313-Django4-4.2.28-1.1 python313-Django6-6.0.2-1.1 python311-Django-4.2.11-150600.3.47.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python3-Django-2.2.28-bp156.30.1 as a component of SUSE Package Hub 15 SP6 python3-Django-2.2.28-bp156.30.1 as a component of openSUSE Leap 15.6 python311-Django-4.2.11-150600.3.47.1 as a component of openSUSE Leap 15.6 python313-Django-5.2.4-bp160.5.1 as a component of openSUSE Leap 16.0 python311-Django-5.2.11-1.1 as a component of openSUSE Tumbleweed python311-Django4-4.2.28-1.1 as a component of openSUSE Tumbleweed python312-Django-5.2.11-1.1 as a component of openSUSE Tumbleweed python312-Django4-4.2.28-1.1 as a component of openSUSE Tumbleweed python312-Django6-6.0.2-1.1 as a component of openSUSE Tumbleweed python313-Django-5.2.11-1.1 as a component of openSUSE Tumbleweed python313-Django4-4.2.28-1.1 as a component of openSUSE Tumbleweed python313-Django6-6.0.2-1.1 as a component of openSUSE Tumbleweed An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. CVE-2026-1312 SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.47.1 SUSE Package Hub 15 SP6:python3-Django-2.2.28-bp156.30.1 openSUSE Leap 15.6:python3-Django-2.2.28-bp156.30.1 openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.47.1 openSUSE Leap 16.0:python313-Django-5.2.4-bp160.5.1 openSUSE Tumbleweed:python311-Django-5.2.11-1.1 openSUSE Tumbleweed:python311-Django4-4.2.28-1.1 openSUSE Tumbleweed:python312-Django-5.2.11-1.1 openSUSE Tumbleweed:python312-Django4-4.2.28-1.1 openSUSE Tumbleweed:python312-Django6-6.0.2-1.1 openSUSE Tumbleweed:python313-Django-5.2.11-1.1 openSUSE Tumbleweed:python313-Django4-4.2.28-1.1 openSUSE Tumbleweed:python313-Django6-6.0.2-1.1 important 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H