THE Django maintainers have issued an urgent security release covering Django 6.0.2, Django 5.2.11, and Django 4.2.28 to fix six distinct flaws, half of which are high-severity SQL injection vulnerabilities. The most concerning fixes address three high-severity SQL injection flaws (CVE-2026-1207, CVE-2026-1287, CVE-2026-1312) that could allow attackers to run arbitrary SQL commands or bypass built-in protections.
The CVE-2026-1207 issue targets applications using PostGIS for geographic data, with raster lookups on GIS fields subject to SQL injection if untrusted data is used as a band index, according to the advisory notes. In addition to data theft, the update closes DoS attack vectors, including CVE-2025-14550 affecting the ASGI standard and CVE-2026-1285 in text truncation utilities, which could degrade services or cause outages.
A low-severity CVE-2025-13473 related to a timing attack in the mod_wsgi authentication handler remains, potentially allowing remote attackers to enumerate users via timing differences. According to Django, these fixes aim to tighten security across multiple versions and reduce risk for secure applications.