summaryrefslogtreecommitdiff
path: root/docs/releases/4.2.25.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/4.2.25.txt')
-rw-r--r--docs/releases/4.2.25.txt9
1 files changed, 8 insertions, 1 deletions
diff --git a/docs/releases/4.2.25.txt b/docs/releases/4.2.25.txt
index 69f238c3c1..5412777055 100644
--- a/docs/releases/4.2.25.txt
+++ b/docs/releases/4.2.25.txt
@@ -7,4 +7,11 @@ Django 4.2.25 release notes
Django 4.2.25 fixes one security issue with severity "high" and one security
issue with severity "low" in 4.2.24.
-...
+CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
+======================================================================================================================================
+
+:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
+:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
+to SQL injection in column aliases, using a suitably crafted dictionary, with
+dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
+:cve:`2022-28346`).
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 08:01:48 +0000