Emergency security patches for six serious flaws affecting several versions of the well-known Python web framework have been released by the Django Software Foundation. The updates, which were made available on February 3, 2026, fix serious vulnerabilities that allow user account enumeration, denial-of-service scenarios, and SQL injection attacks. Major platforms like Bitbucket, Mozilla, and Instagram are powered by the popular open-source Python web framework Django.

The framework is perfect for creating database-driven websites because it prioritizes quick development and adheres to the Model-Template-View architectural pattern. Django 6.0.2, 5.2.11, and 4.2.28 are security releases that target all versions that are currently supported. One vulnerability is rated as "low," two as "moderate," and three as "high." To avoid possible exploitation, the Django team strongly advises making updates right away.

Important SQL Injection Vulnerabilities Django's database handling mechanisms were found to have three high-severity SQL injection vulnerabilities. Raster lookups on GIS fields implemented on PostGIS are impacted by CVE-2026-1207, which enables attackers to insert malicious SQL code when untrusted data is used as a band index. Spatial raster data can be stored and queried in PostgreSQL databases thanks to PostGIS raster functionality.

When using FilteredRelation with crafted dictionaries passed to QuerySet methods, such as annotate(), aggregate(), and values(), CVE-2026-1287 allows SQL injection through column aliases via control characters. For applications that depend on filtered relation operations, this vulnerability greatly increases the attack surface. CVE-2026-1312 permits SQL injection through QuerySet.order_by() when FilteredRelation operations are combined with column aliases that contain periods.

Attackers may compromise sensitive data by manipulating query ordering parameters to run arbitrary SQL commands. Vulnerability Type Severity Affected Component Status CVE-2025-13473 Enumeration of Usernames through Timing Attack CVE-2025-14550 Low mod_wsgi Authentication Handler Patched SQL Injection via Raster Lookups High PostGIS GIS Fields Patched CVE-2026-1285 Denial-of-Service via Duplicate Headers Moderate ASGI Request Handler HTML Denial-of-Service Truncation Django.utils.text is moderate.SQL Injection in Column Aliases High FilteredRelation Query, Truncator Patched CVE-2026-1287CVE-2026-1312 SQL Injection via order_by() High QuerySet.order_by() Patched In the most recent releases, two moderate-severity denial-of-service vulnerabilities were fixed. Asynchronous web requests handled by Django's ASGI implementation are impacted by CVE-2025-14550.

By repeatedly concatenating strings, attackers take advantage of the way ASGIRequest handles duplicate HTTP headers, resulting in super-linear computation that deteriorates service performance.

HTML truncation functionality in django.utils.text is the focus of CVE-2026-1285.Truncator, which could interfere with programs that depend on text processing capabilities. These DoS vectors have the potential to cause widespread disruption to Django deployments when combined with credential-stuffing attacks. The 6.0, 5.2, and 4.2 series of Django, as well as the main development branch, are all impacted.

Patches for all supported branches have been made available by the Django Software Foundation, with individual GitHub commits for each vulnerability. Before performing database operations, system administrators should make sure that all untrusted user input has been cleaned up and update to patched versions right away. Patching high-severity SQL injection vulnerabilities should be a top priority for organizations using Django in production, especially those that use FilteredRelation queries or PostGIS functionality. For high-traffic applications susceptible to disruption targeting, denial-of-service vulnerabilities affecting ASGI deployments need immediate attention.