summaryrefslogtreecommitdiff
path: root/docs/releases/4.2.28.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/4.2.28.txt')
-rw-r--r--docs/releases/4.2.28.txt12
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/releases/4.2.28.txt b/docs/releases/4.2.28.txt
index 67d398308c..aa06882806 100644
--- a/docs/releases/4.2.28.txt
+++ b/docs/releases/4.2.28.txt
@@ -29,3 +29,15 @@ produced super-linear computation resulting in service degradation or outage.
This issue has severity "moderate" according to the :ref:`Django security
policy <security-disclosure>`.
+
+CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
+====================================================================
+
+:ref:`Raster lookups <spatial-lookup-raster>` on GIS fields (only implemented
+on PostGIS) were subject to SQL injection if untrusted data was used as a band
+index.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "high" according to the :ref:`Django security policy
+<security-disclosure>`.
generated by cgit v1.3 (git 2.53.0) at 2026-06-30 18:21:18 +0000