Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-12-02
Full Version: HackerOne Disclosed Reports - 2025-12-02
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

12-03-2025, 12:30 PM
Logo
High
resolved

Potential SQL Injection when annotating FilteredRelation on PostgreSQL


Bug reported by Stackered was disclosed at December 2, 2025, 3:28 pm   |   SQL Injection

A potential SQL injection vulnerability was discovered in Django's annotation of FilteredRelation on PostgreSQL. The vulnerability was caused by an incomplete regular expression filter in the FORBIDDEN_ALIAS_PATTERN. This allowed user input to be interpreted as raw strings, potentially enabling the execution of malicious SQL queries. The vulnerability was reported to the Django security team.


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-12-02