summaryrefslogtreecommitdiff
path: root/docs/releases/4.2.27.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/4.2.27.txt')
-rw-r--r--docs/releases/4.2.27.txt8
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/4.2.27.txt b/docs/releases/4.2.27.txt
index 7ffa5fa458..e95dc63f74 100644
--- a/docs/releases/4.2.27.txt
+++ b/docs/releases/4.2.27.txt
@@ -7,6 +7,14 @@ Django 4.2.27 release notes
Django 4.2.27 fixes one security issue with severity "high", one security issue
with severity "moderate", and one bug in 4.2.26.
+CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases on PostgreSQL
+============================================================================================
+
+:class:`.FilteredRelation` was subject to SQL injection in column aliases,
+using a suitably crafted dictionary, with dictionary expansion, as the
+``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
+PostgreSQL.
+
Bugfixes
========
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 02:47:57 +0000