Skip to content

Commit 2ae9425

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-gvg8-93h5-g6qq GHSA-mwm9-4648-f68q GHSA-qgqw-h4xq-7w8w GHSA-gvg8-93h5-g6qq GHSA-mwm9-4648-f68q
1 parent 580ffa7 commit 2ae9425

5 files changed

Lines changed: 280 additions & 78 deletions

File tree

advisories/github-reviewed/2026/02/GHSA-gvg8-93h5-g6qq/GHSA-gvg8-93h5-g6qq.json

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-gvg8-93h5-g6qq",
4+
"modified": "2026-02-03T19:34:22Z",
5+
"published": "2026-02-03T15:30:24Z",
6+
"aliases": [
7+
"CVE-2026-1287"
8+
],
9+
"summary": "Django has an SQL Injection issue",
10+
"details": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n\n`FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\n\nDjango would like to thank Solomon Kebede for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0a1"
29+
},
30+
{
31+
"fixed": "6.0.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2a1"
48+
},
49+
{
50+
"fixed": "5.2.11"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2a1"
67+
},
68+
{
69+
"fixed": "4.2.28"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1287"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://github.com/django/django/commit/e891a84c7ef9962bfcc3b4685690219542f86a22"
84+
},
85+
{
86+
"type": "WEB",
87+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
88+
},
89+
{
90+
"type": "PACKAGE",
91+
"url": "https://github.com/django/django"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://groups.google.com/g/django-announce"
96+
},
97+
{
98+
"type": "WEB",
99+
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases"
100+
}
101+
],
102+
"database_specific": {
103+
"cwe_ids": [
104+
"CWE-89"
105+
],
106+
"severity": "HIGH",
107+
"github_reviewed": true,
108+
"github_reviewed_at": "2026-02-03T19:34:22Z",
109+
"nvd_published_at": "2026-02-03T15:16:13Z"
110+
}
111+
}

advisories/github-reviewed/2026/02/GHSA-mwm9-4648-f68q/GHSA-mwm9-4648-f68q.json

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mwm9-4648-f68q",
4+
"modified": "2026-02-03T19:32:56Z",
5+
"published": "2026-02-03T15:30:23Z",
6+
"aliases": [
7+
"CVE-2026-1207"
8+
],
9+
"summary": "Django has an SQL Injection issue",
10+
"details": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n\nRaster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\n\nDjango would like to thank Tarek Nakkouch for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0a1"
29+
},
30+
{
31+
"fixed": "6.0.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2a1"
48+
},
49+
{
50+
"fixed": "5.2.11"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2a1"
67+
},
68+
{
69+
"fixed": "4.2.28"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1207"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8"
84+
},
85+
{
86+
"type": "WEB",
87+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
88+
},
89+
{
90+
"type": "PACKAGE",
91+
"url": "https://github.com/django/django"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://groups.google.com/g/django-announce"
96+
},
97+
{
98+
"type": "WEB",
99+
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases"
100+
}
101+
],
102+
"database_specific": {
103+
"cwe_ids": [
104+
"CWE-89"
105+
],
106+
"severity": "HIGH",
107+
"github_reviewed": true,
108+
"github_reviewed_at": "2026-02-03T19:32:56Z",
109+
"nvd_published_at": "2026-02-03T15:16:13Z"
110+
}
111+
}

advisories/github-reviewed/2026/02/GHSA-qgqw-h4xq-7w8w/GHSA-qgqw-h4xq-7w8w.json

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qgqw-h4xq-7w8w",
4+
"modified": "2026-02-03T19:33:32Z",
5+
"published": "2026-02-03T19:33:32Z",
6+
"aliases": [
7+
"CVE-2026-24887"
8+
],
9+
"summary": "Claude Code has a Command Injection in find Command Bypasses User Approval Prompt",
10+
"details": "Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. \n\nUsers on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.\n\nClaude Code thanks https://hackerone.com/alexbernier for reporting this issue!",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@anthropic-ai/claude-code"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.0.72"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/anthropics/claude-code"
46+
}
47+
],
48+
"database_specific": {
49+
"cwe_ids": [
50+
"CWE-78",
51+
"CWE-94"
52+
],
53+
"severity": "HIGH",
54+
"github_reviewed": true,
55+
"github_reviewed_at": "2026-02-03T19:33:32Z",
56+
"nvd_published_at": null
57+
}
58+
}

advisories/unreviewed/2026/02/GHSA-gvg8-93h5-g6qq/GHSA-gvg8-93h5-g6qq.json

Lines changed: 0 additions & 39 deletions
This file was deleted.

advisories/unreviewed/2026/02/GHSA-mwm9-4648-f68q/GHSA-mwm9-4648-f68q.json

Lines changed: 0 additions & 39 deletions
This file was deleted.

0 commit comments

Comments
 (0)