CVE-2026-1312

Publication date 3 February 2026

Last updated 3 February 2026

Ubuntu priority

Why this priority?

Description

Potential SQL injection via QuerySet.order_by and FilteredRelation

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-django	25.10 questing	Fixed 3:5.2.4-1ubuntu2.3
	24.04 LTS noble	Fixed 3:4.2.11-1ubuntu1.14
	22.04 LTS jammy	Ignored see notes
	20.04 LTS focal	Ignored see notes
	18.04 LTS bionic	Ignored see notes
	16.04 LTS xenial	Ignored see notes
	14.04 LTS trusty	Ignored see notes

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

python-django 3.2.x in jammy and earlier versions support passing raw column aliases to order_by(), so fixing this issue would change behaviour and possibly introduce a regression in existing applications. Marking as ignored for jammy and earlier.

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-8009-1
Django vulnerabilities
3 February 2026

Other references

https://www.cve.org/CVERecord?id=CVE-2026-1312
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/