Django 4.2.27 release notes — Django 6.0.4 documentation(2026)
Django 4.2.27 release notes¶
December 2, 2025
Django 4.2.27 fixes one security issue with severity "high", one security issue with severity "moderate", and one bug in 4.2.26.
CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL¶
FilteredRelation was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias() on
PostgreSQL.
CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer¶
XML Serialization was subject to a potential
denial-of-service attack due to quadratic time complexity when deserializing
crafted documents containing many nested invalid elements. The internal helper
django.core.serializers.xml_serializer.getInnerText() previously
accumulated inner text inefficiently during recursion. It now collects text per
element, avoiding excessive resource usage.
漏洞修复¶
Fixed a regression in Django 4.2.26 where
DisallowedRedirectwas raised byHttpResponseRedirectandHttpResponsePermanentRedirectfor URLs longer than 2048 characters. The limit is now 16384 characters (#36743).
Last update:
4月 20, 2026
本文整理自 Django 6.0 官方中文文档,转载请注明出处。
上一篇:Django 4.2.26 release notes — Django 6.0.4 documentation(2026)
下一篇:Django 4.2.27 release notes — Django 6.0.4 documentation(2026)