Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-1312
PUBLISHED
More InfoOfficial Page
Assigner-DSF
Assigner Org ID-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
View Known Exploited Vulnerability (KEV) details
Published At-03 Feb, 2026 | 14:36
Updated At-30 Jun, 2026 | 12:07
Rejected At-
â–¼CVE Numbering Authority (CNA)
Potential SQL injection via QuerySet.order_by and FilteredRelation

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Affected Products
Vendor
Djangodjangoproject
Product
Django
Collection URL
https://pypi.org/project/Django/
Package Name
django
Repo
https://github.com/django/django/
Default Status
unaffected
Versions
Affected
  • From 6.0 before 6.0.2 (semver)
  • From 5.2 before 5.2.11 (semver)
  • From 4.2 before 4.2.28 (semver)
Unaffected
  • 6.0.2 (semver)
  • 5.2.11 (semver)
  • 4.2.28 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Django severity rating
value:
high
namespace:
https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels
Impacts
CAPEC IDDescription
CAPEC-66CAPEC-66: SQL Injection
CAPEC ID: CAPEC-66
Description: CAPEC-66: SQL Injection
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Solomon Kebede
remediation developer
Jacob Walls
coordinator
Jacob Walls
Timeline
EventDate
Initial report received.2026-01-12 18:00:00
Vulnerability confirmed.2026-01-26 18:00:00
Security release issued.2026-02-03 08:00:00
Event: Initial report received.
Date: 2026-01-12 18:00:00
Event: Vulnerability confirmed.
Date: 2026-01-26 18:00:00
Event: Security release issued.
Date: 2026-02-03 08:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
vendor-advisory
Hyperlink: https://docs.djangoproject.com/en/dev/releases/security/
Resource:
vendor-advisory
Hyperlink: https://groups.google.com/g/django-announce
Resource:
mailing-list
Hyperlink: https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Resource:
vendor-advisory
â–¼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. Django: Django: SQL injection via crafted column aliases in QuerySet.order_by()

A flaw was found in Django. A remote attacker could exploit a SQL injection vulnerability in the `.QuerySet.order_by()` method. This occurs when column aliases containing periods are used, and the same alias is also present in `FilteredRelation` via a specially crafted dictionary. Successful exploitation could lead to unauthorized information disclosure or arbitrary code execution within the database.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.5 for RHEL 8
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.5::el8
  • cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8
  • cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.16 for RHEL 8
CPEs
  • cpe:/a:redhat:satellite:6.16::el8
  • cpe:/a:redhat:satellite_capsule:6.16::el8
  • cpe:/a:redhat:satellite_utils:6.16::el8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.5 for RHEL 9
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.5::el9
  • cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9
  • cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.6 for RHEL 9
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.6::el9
  • cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9
  • cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.16 for RHEL 9
CPEs
  • cpe:/a:redhat:satellite:6.16::el9
  • cpe:/a:redhat:satellite_capsule:6.16::el9
  • cpe:/a:redhat:satellite_maintenance:6.16::el9
  • cpe:/a:redhat:satellite_utils:6.16::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.17 for RHEL 9
CPEs
  • cpe:/a:redhat:satellite:6.17::el9
  • cpe:/a:redhat:satellite_capsule:6.17::el9
  • cpe:/a:redhat:satellite_maintenance:6.17::el9
  • cpe:/a:redhat:satellite_utils:6.17::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.18 for RHEL 9
CPEs
  • cpe:/a:redhat:satellite:6.18::el9
  • cpe:/a:redhat:satellite_capsule:6.18::el9
  • cpe:/a:redhat:satellite_maintenance:6.18::el9
  • cpe:/a:redhat:satellite_utils:6.18::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.5
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.5::el8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.6
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.6::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Discovery 2
CPEs
  • cpe:/a:redhat:discovery:2::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.18
CPEs
  • cpe:/a:redhat:satellite:6.18::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6
CPEs
  • cpe:/a:redhat:satellite:6
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Update Infrastructure 4 for Cloud Providers
CPEs
  • cpe:/a:redhat:rhui:4::el8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.6 for RHEL 10
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.6::el10
  • cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenStack Platform 16.2
CPEs
  • cpe:/a:redhat:openstack:16.2
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenStack Platform 17.1
CPEs
  • cpe:/a:redhat:openstack:17.1
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenStack Platform 18.0
CPEs
  • cpe:/a:redhat:openstack:18.0
Default Status
unaffected
Problem Types
TypeCWE IDDescription
CWECWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

RHSA-2026:3959: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9

RHSA-2026:5971: Red Hat Satellite 6.16 for RHEL 8, Red Hat Satellite 6.16 for RHEL 9

RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9

RHSA-2026:5970: Red Hat Satellite 6.17 for RHEL 9

RHSA-2026:14835: Red Hat Satellite 6.18 for RHEL 9

RHSA-2026:3962: Red Hat Ansible Automation Platform 2.5

RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6

RHSA-2026:2694: Red Hat Discovery 2

RHSA-2026:6291: Red Hat Satellite 6.18

Configurations

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-02-03 15:01:18
Made public.2026-02-03 14:36:23
Event: Reported to Red Hat.
Date: 2026-02-03 15:01:18
Event: Made public.
Date: 2026-02-03 14:36:23
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-1312
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2436342
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1312.json
x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:3959
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:5971
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3958
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:5970
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:14835
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3962
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3960
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2694
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6291
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-1312
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2436342
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1312.json
Resource:
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3959
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:5971
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3958
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:5970
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:14835
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3962
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3960
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:2694
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:6291
Resource:
vendor-advisory
x_refsource_REDHAT
Details not found