PyPI: django

CVE-2025-59681

Safety vulnerability ID: SFTY-20251001-06055

Safety legacy ID: pyup.io-80041

Affected versions of the Django package are vulnerable to SQL Injection due to insufficient neutralization of user-controlled column alias names provided via dictionary expansion. The QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods accept **kwargs whose keys are used as column aliases, and on MySQL and MariaDB, those identifiers are not safely quoted, permitting crafted input to be incorporated into the generated SQL.

PythonPyPINVDNVDGitHubGHSA
Created at: Apr 14, 2026Updated at: Apr 14, 2026

Overview

Django vulnerable to SQL injection in column aliases

Advisory

Affected versions of the Django package are vulnerable to SQL Injection due to insufficient neutralization of user-controlled column alias names provided via dictionary expansion. The QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods accept **kwargs whose keys are used as column aliases, and on MySQL and MariaDB, those identifiers are not safely quoted, permitting crafted input to be incorporated into the generated SQL.

Affected Package

Affecting django package, versions
>=4.2,<4.2.25
>=5.1,<5.1.13
>=5.2,<5.2.7

Also affects

---

How to Fix

Upgrade
django
to
4.2.25
5.1.13
5.2.7
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more