summaryrefslogtreecommitdiff
path: root/docs/releases/5.2.9.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/5.2.9.txt')
-rw-r--r--docs/releases/5.2.9.txt8
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/5.2.9.txt b/docs/releases/5.2.9.txt
index 9dfcc392a0..08c298999a 100644
--- a/docs/releases/5.2.9.txt
+++ b/docs/releases/5.2.9.txt
@@ -7,6 +7,14 @@ Django 5.2.9 release notes
Django 5.2.9 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.2.8.
+CVE-2025-13372: Potential SQL injection in ``FilteredRelation`` column aliases on PostgreSQL
+============================================================================================
+
+:class:`.FilteredRelation` was subject to SQL injection in column aliases,
+using a suitably crafted dictionary, with dictionary expansion, as the
+``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
+PostgreSQL.
+
Bugfixes
========
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 07:33:18 +0000