CVE- 2026-1207 is a high-severity SQL injection vulnerability in Django, with a CVSS score of 8.3. It affects versions >= 6.0a1, < 6.0.2, >= 5.2a1, < 5.2.11, and >= 4.2a1, < 4.2.28, specifically during RasterField lookups in PostGIS databases. The flaw has been confirmed to be exploited in the wild, enabling low-privilege attackers to potentially read, change, or delete database records. The vulnerability was patched in versions 6.0.2, 5.2.11, and 4.2.28, released on February 3, 2026. Affected users are urged to update immediately, while those unable to patch should audit their queries and tighten database permissions.
Django SQLi bug CVE-2026-1207 exploited, patch urged
CyberSIXT Evidence Panel
Article by CyberSIXT