+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-09-15 (/Thread-HackerOne-Disclosed-Reports-2025-09-15)
HackerOne disclosed reports - 2025-09-15 - hashXploiter - 09-16-2025
Critical
resolved
resolved
SQL Injection when using FilteredRelation
Bug reported by Eyal Gabay was disclosed at September 15, 2025, 2:01 pm | SQL Injection
A SQL injection vulnerability was discovered in the Django framework when using the FilteredRelation feature. The vulnerability was located in the tests/filtered_relation/tests.py file. The vulnerability allowed an attacker to inject malicious SQL code through the user_data parameter used in the FilteredRelation and select_related functions.