CVE-2025-64459
Potential SQL injection via _connector keyword argument in QuerySet and Q objects
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.
| CWE | CWE-89 |
| Vendor | djangoproject |
| Product | django |
| Published | Nov 5, 2025 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for djangoproject django
Be the first to know when new critical vulnerabilities affecting djangoproject django are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
djangoproject / Django
5.2 < 5.2.8 5.1 < 5.1.14 4.2 < 4.2.26
References
docs.djangoproject.com: https://docs.djangoproject.com/en/dev/releases/security/ groups.google.com: https://groups.google.com/g/django-announce djangoproject.com: https://www.djangoproject.com/weblog/2025/nov/05/security-releases/ shivasurya.me: https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html
Credits
๐ cyberstan Jacob Walls Natalia Bidart