+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2025-12-02 (/Thread-HackerOne-Disclosed-Reports-2025-12-02)
HackerOne disclosed reports - 2025-12-02 - hashXploiter - 12-03-2025
High
resolved
resolved
Potential SQL Injection when annotating FilteredRelation on PostgreSQL
Bug reported by Stackered was disclosed at December 2, 2025, 3:28 pm | SQL Injection
A potential SQL injection vulnerability was discovered in Django's annotation of FilteredRelation on PostgreSQL. The vulnerability was caused by an incomplete regular expression filter in the FORBIDDEN_ALIAS_PATTERN. This allowed user input to be interpreted as raw strings, potentially enabling the execution of malicious SQL queries. The vulnerability was reported to the Django security team.