[4.2.x] Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg.

Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon Charette, and Jake Howard for the reviews. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-09-24 15:54:51 -0400
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-11-05 09:53:18 -0300
commit: 59ae82e67053d281ff4562a24bbba21299f0a7d4 (patch)
tree: 88d61922dfc7eb686bbdbd91aee26e466e601c0c /docs
parent: 770eea38d7a0e9ba9455140b5a9a9e33618226a7 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt
index ae274c3361..20cf48f05c 100644
--- a/docs/releases/4.2.26.txt
+++ b/docs/releases/4.2.26.txt
@@ -16,3 +16,10 @@ Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
 :func:`redirect() <django.shortcuts.redirect>` were subject to a potential
 denial-of-service attack via certain inputs with a very large number of Unicode
 characters (follow up to :cve:`2025-27556`).
+
+CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
+===========================================================================
+
+:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
+and :class:`~.Q` were subject to SQL injection using a suitably crafted
+dictionary, with dictionary expansion, as the ``_connector`` argument.
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-09-24 15:54:51 -0400
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-11-05 09:53:18 -0300
commit	59ae82e67053d281ff4562a24bbba21299f0a7d4 (patch)
tree	88d61922dfc7eb686bbdbd91aee26e466e601c0c /docs
parent	770eea38d7a0e9ba9455140b5a9a9e33618226a7 (diff)