diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.2.26.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt index ae274c3361..20cf48f05c 100644 --- a/docs/releases/4.2.26.txt +++ b/docs/releases/4.2.26.txt @@ -16,3 +16,10 @@ Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`, :func:`redirect() <django.shortcuts.redirect>` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters (follow up to :cve:`2025-27556`). + +CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument +=========================================================================== + +:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`, +and :class:`~.Q` were subject to SQL injection using a suitably crafted +dictionary, with dictionary expansion, as the ``_connector`` argument. |
