From a14363102d98fa29b8cced578eb3a0fadaa5bcb7 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Mon, 19 Jan 2026 15:42:33 -0500
Subject: [4.2.x] Fixed CVE-2026-1207 -- Prevented SQL injections in
 RasterField lookups via band index.

Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.

Backport of 81aa5292967cd09319c45fe2c1a525ce7b6684d8 from main.
---
 docs/releases/4.2.28.txt | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'docs')

diff --git a/docs/releases/4.2.28.txt b/docs/releases/4.2.28.txt
index 67d398308c..aa06882806 100644
--- a/docs/releases/4.2.28.txt
+++ b/docs/releases/4.2.28.txt
@@ -29,3 +29,15 @@ produced super-linear computation resulting in service degradation or outage.
 
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
+
+CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
+====================================================================
+
+:ref:`Raster lookups <spatial-lookup-raster>` on GIS fields (only implemented
+on PostGIS) were subject to SQL injection if untrusted data was used as a band
+index.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "high" according to the :ref:`Django security policy
+<security-disclosure>`.
-- 
cgit v1.3