An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1312.json
https://groups.google.com/g/django-announce
https://bugzilla.redhat.com/show_bug.cgi?id=2436342
https://access.redhat.com/security/cve/CVE-2026-1312
https://access.redhat.com/errata/RHSA-2026:6291
https://access.redhat.com/errata/RHSA-2026:5971
https://access.redhat.com/errata/RHSA-2026:5970
https://access.redhat.com/errata/RHSA-2026:3962
https://access.redhat.com/errata/RHSA-2026:3960
https://access.redhat.com/errata/RHSA-2026:3959
https://access.redhat.com/errata/RHSA-2026:3958