summaryrefslogtreecommitdiff
path: root/docs/releases/5.0.8.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/5.0.8.txt')
-rw-r--r--docs/releases/5.0.8.txt7
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt
index 2a0823d0ca..37f51f71c7 100644
--- a/docs/releases/5.0.8.txt
+++ b/docs/releases/5.0.8.txt
@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
+CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+======================================================================================
+
+:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
+with a ``JSONField`` were subject to SQL injection in column aliases, via a
+crafted JSON object key as a passed ``*arg``.
+
Bugfixes
========
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 04:47:16 +0000