High
resolved
resolved
Potential SQL Injection when annotating FilteredRelation on PostgreSQL
Bug reported by Stackered was disclosed at December 2, 2025, 3:28 pm | SQL Injection
A potential SQL injection vulnerability was discovered in Django's annotation of FilteredRelation on PostgreSQL. The vulnerability was caused by an incomplete regular expression filter in the FORBIDDEN_ALIAS_PATTERN. This allowed user input to be interpreted as raw strings, potentially enabling the execution of malicious SQL queries. The vulnerability was reported to the Django security team.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
