[6.0.x] Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookups via band index.

Thanks Tarek Nakkouch for the report, and Simon Charette for the initial triage and review. Backport of 81aa5292967cd09319c45fe2c1a525ce7b6684d8 from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-01-19 15:42:33 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-02-03 08:01:15 -0500
commit: 8f77e7301174834573614ae90e1826fdf27f8a24 (patch)
tree: 3db431f61e0b3a6c9f86df5836073b37a0d4f210 /docs
parent: 972dbdd4f7f69e9c405e6fe12a1b90e4713c1611 (diff)
3 files changed, 36 insertions, 0 deletions
diff --git a/docs/releases/4.2.28.txt b/docs/releases/4.2.28.txt
index 67d398308c..aa06882806 100644
--- a/docs/releases/4.2.28.txt
+++ b/docs/releases/4.2.28.txt
@@ -29,3 +29,15 @@ produced super-linear computation resulting in service degradation or outage.
 
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
+
+CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
+====================================================================
+
+:ref:`Raster lookups <spatial-lookup-raster>` on GIS fields (only implemented
+on PostGIS) were subject to SQL injection if untrusted data was used as a band
+index.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "high" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/5.2.11.txt b/docs/releases/5.2.11.txt
index 1e5187d7ec..73a0cd23b3 100644
--- a/docs/releases/5.2.11.txt
+++ b/docs/releases/5.2.11.txt
@@ -29,3 +29,15 @@ produced super-linear computation resulting in service degradation or outage.
 
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
+
+CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
+====================================================================
+
+:ref:`Raster lookups <spatial-lookup-raster>` on GIS fields (only implemented
+on PostGIS) were subject to SQL injection if untrusted data was used as a band
+index.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "high" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/6.0.2.txt b/docs/releases/6.0.2.txt
index a258259195..8a694d4430 100644
--- a/docs/releases/6.0.2.txt
+++ b/docs/releases/6.0.2.txt
@@ -30,6 +30,18 @@ produced super-linear computation resulting in service degradation or outage.
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
 
+CVE-2026-1207: Potential SQL injection via raster lookups on PostGIS
+====================================================================
+
+:ref:`Raster lookups <spatial-lookup-raster>` on GIS fields (only implemented
+on PostGIS) were subject to SQL injection if untrusted data was used as a band
+index.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "high" according to the :ref:`Django security policy
+<security-disclosure>`.
+
 Bugfixes
 ========
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-01-19 15:42:33 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-02-03 08:01:15 -0500
commit	8f77e7301174834573614ae90e1826fdf27f8a24 (patch)
tree	3db431f61e0b3a6c9f86df5836073b37a0d4f210 /docs
parent	972dbdd4f7f69e9c405e6fe12a1b90e4713c1611 (diff)