An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

The detected version of the Django Python package, Django, is 4.2.x prior to 4.2.24, 5.1.x prior to 5.1.12, or 5.2.x prior to 5.2.6. It is, therefore, affected by a SQL injection vulnerability as disclosed in Django's September 3rd, 2025 security advisory. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6.
    FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with     dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias(). (CVE-2025-57833)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2025:03074-1 advisory.

    - CVE-2025-57833: Fixed potential SQL injection in FilteredRelation column aliases (bsc#1248810)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 host has a package installed that is affected by a vulnerability as referenced in the USN-7736-1 advisory.

    It was discovered that Django incorrectly handled certain inputs. An attacker could possibly use this     issue to perform a SQL injection.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 0db8684f-8938-11f0-8325-bc2411f8eb0b advisory.

    Django reports:
    CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
264623	Python Library Django 4.2.x < 4.2.24 / 5.1.x < 5.1.12 / 5.2.x < 5.2.6 SQLi	Nessus	Misc.	high
261594	Linux Distros Unpatched Vulnerability : CVE-2025-57833	Nessus	Misc.	high
261521	SUSE SLES15 / openSUSE 15 Security Update : python-Django (SUSE-SU-2025:03074-1)	Nessus	SuSE Local Security Checks	high
261429	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 : Django vulnerability (USN-7736-1)	Nessus	Ubuntu Local Security Checks	high
261417	FreeBSD : Django -- multiple vulnerabilities (0db8684f-8938-11f0-8325-bc2411f8eb0b)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2025-57833

high

Tenable Plugins

high

high

high

high

high