Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-pv4p-cwwg-4rph

GitHub Security Advisory

Django SQL injection vulnerability

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Affected Packages

PyPI Django
Affected versions: 5.0 (fixed in 5.0.8)
PyPI Django
Affected versions: 4.2 (fixed in 4.2.15)

Related CVEs

CVE-2024-42005

Key Information

GHSA ID
GHSA-pv4p-cwwg-4rph
Published
August 7, 2024 3:30 PM
Last Modified
September 3, 2024 9:53 PM
CVSS Score
9.0 /10
Primary Ecosystem
PyPI
Primary Package
Django
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 9, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.