CVE-2026-1207
Potential SQL injection via raster lookups on PostGIS
5.4
MEDIUM
CVSS 3.1
EPSS 5.3%
Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
How to fix CVE-2026-1207
To remediate CVE-2026-1207, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.28 or later
- —upgrade to 2:2.2.28-1~deb11u12 or later
- —upgrade to 6.0.2 or later
- —upgrade to 4.2.28 or later
Is CVE-2026-1207 being exploited?
Moderate — EPSS is 5.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (4)
- >= 4.2.0, < 4.2.28, >= 5.2.0, < 5.2.11, >= 6.0.0, < 6.0.2
- from 0, < 2:2.2.28-1~deb11u12
- >= 6.0a1, < 6.0.2
- >= 4.2, < 4.2.28, >= 5.2, < 5.2.11, >= 6.0, < 6.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |