A new security advisory flags multiple vulnerabilities in the Django web framework, and the overall message is pretty clear: if you run Django in production, this is an update you should treat as urgent. The advisory describes a mix of SQL injection flaws and denial-of-service issues that can threaten the integrity and availability of affected apps.

What was discovered

The advisory lists six CVEs tied to Django vulnerabilities: CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312. It notes CVSS 3.1 base scores ranging from 7.5 to 8.1 for several of them, with the most severe items centered on SQL injection.

The most serious category: SQL injection in core Django features

Three of the highlighted vulnerabilities are high-severity SQL injection paths. In real life, SQL injection is still one of the most damaging classes of web bugs because it can lead to reading sensitive data, changing records, or in worst cases, full database compromise.

CVE-2026-1207 targets Django GIS (PostGIS) raster field lookups where untrusted band index values aren't properly sanitized, allowing crafted input to inject SQL into database queries.

CVE-2026-1287 involves unsafe handling of column aliases containing control characters in ORM methods like annotate() and aggregate(). If user-controlled input makes its way into those aliases, an attacker may inject SQL into backend queries.

CVE-2026-1312 affects QuerySet.order_by() when combined with FilteredRelation, enabling SQL injection through crafted ordering expressions due to insufficient validation of alias inputs.

The "availability killers": denial-of-service issues

Not every bug here is about stealing data. A couple focus on knocking apps over by burning CPU or memory.

CVE-2026-1285 is a DoS issue in Django's HTML truncation helpers such as truncatechars_html() and truncatewords_html(). Specially crafted HTML with mismatched or deeply nested tags can trigger heavy CPU and memory use, potentially causing slowdowns or outages without authentication.

CVE-2025-14550 is described as a DoS issue in Django's ASGI request handling, where excessive duplicate HTTP headers can drive up memory usage and degrade performance, again without requiring authentication.

A quieter risk: username inference via timing

CVE-2025-13473 is different from the others: it's a timing-based information disclosure issue in Django authentication under certain server configurations (the advisory mentions mod_wsgi as an example). The concern is that response-time differences can help an attacker infer whether a username exists, which can support brute-force or credential stuffing campaigns.

Are these being exploited right now?

The advisory states there are no confirmed reports of widespread exploitation in the wild at the time of publication. Still, it emphasizes that SQL injection issues are often readily exploitable if apps allow untrusted input to influence queries or aliases, and that DoS issues can be triggered remotely through typical HTTP interfaces.

Who is affected

The affected products span multiple Django branches, including:

The fix: update to patched versions 

The advisory recommends updating to the latest patched releases for your branch:

It also stresses keeping dev, staging, and production aligned to avoid version drift where one environment stays vulnerable.

Practical mitigation steps while you roll out patches

If you need time to schedule the upgrade, the advisory suggests tightening the common risk areas that these CVEs touch:

Final thoughts 

Even without confirmed mass exploitation, this is the kind of advisory that deserves fast action because it combines "high impact" (SQL injection) with "easy to trigger remotely" (DoS). If Django is a core part of your stack, treat this as a patch-now item, then follow up by auditing any places where user input might influence ORM aliases, ordering, or query construction.