CVE-2025-13372 | Django up to 4.2.26/5.1.14/5.2.8 FilteredRelation QuerySet.annotate/QuerySet.alias sql injection (EUVD-2025-200249)

A vulnerability classified as critical has been found in Django up to 4.2.26/5.1.14/5.2.8. Affected by this vulnerability is the function QuerySet.annotate/QuerySet.alias of the component FilteredRelation. This manipulation causes sql injection.

This vulnerability is handled as CVE-2025-13372. The attack can be initiated remotely. There is not any exploit available.

It is recommended to upgrade the affected component.VulDB Recent EntriesRead More