09-16-2025, 12:30 PM
Critical
resolved
resolved
SQL Injection when using FilteredRelation
Bug reported by Eyal Gabay was disclosed at September 15, 2025, 2:01 pm | SQL Injection
A SQL injection vulnerability was discovered in the Django framework when using the FilteredRelation feature. The vulnerability was located in the tests/filtered_relation/tests.py file. The vulnerability allowed an attacker to inject malicious SQL code through the user_data parameter used in the FilteredRelation and select_related functions.