Django 4.2.28 release notes — Django 6.0.4 documentation(2026)
Django 4.2.28 release notes¶
February 3, 2026
Django 4.2.28 fixes three security issues with severity "high", two security issues with severity "moderate", and one security issue with severity "low" in 4.2.27.
CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler¶
The django.contrib.auth.handlers.modwsgi.check_password() function for
authentication via mod_wsgi
allowed remote attackers to enumerate users via a timing attack.
根据 Django 安全政策,这个问题的严重性为“低”。
CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI¶
When receiving duplicates of a single header, ASGIRequest allowed a remote
attacker to cause a potential denial-of-service via a specifically created
request with multiple duplicate headers. The vulnerability resulted from
repeated string concatenation while combining repeated headers, which
produced super-linear computation resulting in service degradation or outage.
This issue has severity "moderate" according to the Django security policy.
CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS¶
Raster lookups on GIS fields (only implemented on PostGIS) were subject to SQL injection if untrusted data was used as a band index.
提醒一下,所有不受信任的用户输入在使用前都应进行验证。
This issue has severity "high" according to the Django security policy.
CVE-2026-1285: Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods¶
django.utils.text.Truncator.chars() and Truncator.words() methods (with
html=True) and the truncatechars_html and
truncatewords_html template filters were subject to a potential
denial-of-service attack via certain inputs with a large number of unmatched
HTML end tags, which could cause quadratic time complexity during HTML parsing.
This issue has severity "moderate" according to the Django security policy.
CVE-2026-1287: Potential SQL injection in column aliases via control characters¶
FilteredRelation was subject to SQL injection in column aliases via
control characters, using a suitably crafted dictionary, with dictionary
expansion, as the **kwargs passed to QuerySet.annotate(),
aggregate(), extra(),
values(), values_list(), and
alias().
This issue has severity "high" according to the Django security policy.
CVE-2026-1312: Potential SQL injection via QuerySet.order_by and FilteredRelation¶
QuerySet.order_by() was subject to SQL injection in column aliases
containing periods when the same alias was, using a suitably crafted
dictionary, with dictionary expansion, used in FilteredRelation.
This issue has severity "high" according to the Django security policy.
Last update:
4月 20, 2026
本文整理自 Django 6.0 官方中文文档,转载请注明出处。
上一篇:Django 4.2.27 release notes — Django 6.0.4 documentation(2026)
下一篇:Django 4.2.26 release notes — Django 6.0.4 documentation(2026)