Critical
resolved
resolved
SQL Injection when using FilteredRelation
Bug reported by Eyal Gabay was disclosed at September 15, 2025, 2:01 pm | SQL Injection
A SQL injection vulnerability was discovered in the Django framework when using the FilteredRelation feature. The vulnerability was located in the tests/filtered_relation/tests.py file. The vulnerability allowed an attacker to inject malicious SQL code through the user_data parameter used in the FilteredRelation and select_related functions.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
