February 3, 2026
Django 4.2.28 fixes three security issues with severity “high”, two security issues with severity “moderate”, and one security issue with severity “low” in 4.2.27.
The django.contrib.auth.handlers.modwsgi.check_password() function for
authentication via mod_wsgi
allowed remote attackers to enumerate users via a timing attack.
This issue has severity “low” according to the Django security policy.
When receiving duplicates of a single header, ASGIRequest allowed a remote
attacker to cause a potential denial-of-service via a specifically created
request with multiple duplicate headers. The vulnerability resulted from
repeated string concatenation while combining repeated headers, which
produced super-linear computation resulting in service degradation or outage.
This issue has severity “moderate” according to the Django security policy.
Raster lookups on GIS fields (only implemented on PostGIS) were subject to SQL injection if untrusted data was used as a band index.
As a reminder, all untrusted user input should be validated before use.
This issue has severity “high” according to the Django security policy. Django 4.2.28 fixes two security issues with severity “moderate”, three security issues with severity “moderate”, and one security issue with severity “low” in 4.2.27.
django.utils.text.Truncator HTML methods¶django.utils.text.Truncator.chars() and Truncator.words() methods (with
html=True) and the truncatechars_html and
truncatewords_html template filters were subject to a potential
denial-of-service attack via certain inputs with a large number of unmatched
HTML end tags, which could cause quadratic time complexity during HTML parsing.
This issue has severity “moderate” according to the Django security policy. This issue has severity “moderate” according to the Django security policy.
FilteredRelation was subject to SQL injection in column aliases via
control characters, using a suitably crafted dictionary, with dictionary
expansion, as the **kwargs passed to QuerySet.annotate(),
aggregate(), extra(),
values(), values_list(), and
alias().
This issue has severity “high” according to the Django security policy.
QuerySet.order_by and FilteredRelation¶QuerySet.order_by() was subject to SQL injection in column aliases
containing periods when the same alias was, using a suitably crafted
dictionary, with dictionary expansion, used in FilteredRelation.
This issue has severity “high” according to the Django security policy.
Feb 18, 2026