An update for python-django is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1507 Final 1.0 1.0 2026-03-06 Initial 2026-03-06 2026-03-06 openEuler SA Tool V1.0 2026-03-06 python-django security update An update for python-django is now available for openEuler-20.03-LTS-SP4 A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fix(es): An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` is vulnerable to a timing attack, allowing remote attackers to enumerate valid usernames. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. This issue has been rated with a severity of "low" according to the Django security policy.(CVE-2025-13473) An issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-1207) An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.(CVE-2026-1285) A SQL injection vulnerability exists in the FilteredRelation component of the Django framework. An attacker can execute arbitrary SQL commands by manipulating column aliases through a specially crafted dictionary containing control characters, passed via dictionary expansion as the **kwargs argument to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This could lead to unauthorized database access, sensitive data disclosure, or data tampering. Affected versions include Django 6.0 series (from 6.0a1 up to, but not including, 6.0.2), 5.2 series (from 5.2a1 up to, but not including, 5.2.11), and 4.2 series (from 4.2a1 up to, but not including, 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.(CVE-2026-1287) An SQL injection vulnerability exists in the Django framework when the QuerySet.order_by() method processes column aliases containing periods, and the same alias is reused in FilteredRelation via a specially crafted dictionary using dictionary expansion. An attacker could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized information disclosure or arbitrary code execution within the database. This vulnerability affects Django 6.0 (before version 6.0.2), Django 5.2 (before version 5.2.11), and Django 4.2 (before version 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.(CVE-2026-1312) An update for python-django is now available for openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-django https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-13473 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1207 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1285 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1287 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1312 https://nvd.nist.gov/vuln/detail/CVE-2025-13473 https://nvd.nist.gov/vuln/detail/CVE-2026-1207 https://nvd.nist.gov/vuln/detail/CVE-2026-1285 https://nvd.nist.gov/vuln/detail/CVE-2026-1287 https://nvd.nist.gov/vuln/detail/CVE-2026-1312 openEuler-20.03-LTS-SP4 python-django-help-2.2.27-21.oe2003sp4.noarch.rpm python3-Django-2.2.27-21.oe2003sp4.noarch.rpm python-django-2.2.27-21.oe2003sp4.src.rpm An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` is vulnerable to a timing attack, allowing remote attackers to enumerate valid usernames. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. This issue has been rated with a severity of "low" according to the Django security policy. 2026-03-06 CVE-2025-13473 openEuler-20.03-LTS-SP4 Medium 5.3 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N python-django security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507 An issue was discovered in Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. 2026-03-06 CVE-2026-1207 openEuler-20.03-LTS-SP4 Medium 5.4 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N python-django security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. 2026-03-06 CVE-2026-1285 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H python-django security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507 A SQL injection vulnerability exists in the FilteredRelation component of the Django framework. An attacker can execute arbitrary SQL commands by manipulating column aliases through a specially crafted dictionary containing control characters, passed via dictionary expansion as the **kwargs argument to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This could lead to unauthorized database access, sensitive data disclosure, or data tampering. Affected versions include Django 6.0 series (from 6.0a1 up to, but not including, 6.0.2), 5.2 series (from 5.2a1 up to, but not including, 5.2.11), and 4.2 series (from 4.2a1 up to, but not including, 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected. 2026-03-06 CVE-2026-1287 openEuler-20.03-LTS-SP4 Medium 5.4 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N python-django security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507 An SQL injection vulnerability exists in the Django framework when the QuerySet.order_by() method processes column aliases containing periods, and the same alias is reused in FilteredRelation via a specially crafted dictionary using dictionary expansion. An attacker could exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized information disclosure or arbitrary code execution within the database. This vulnerability affects Django 6.0 (before version 6.0.2), Django 5.2 (before version 5.2.11), and Django 4.2 (before version 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. 2026-03-06 CVE-2026-1312 openEuler-20.03-LTS-SP4 Medium 5.4 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N python-django security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507