CVE-2026-1287 is a SQL injection vulnerability identified in Django, a widely used Python web framework, specifically affecting versions 4.2 prior to 4.2.28, 5.2 prior to 5.2.11, and 6.0 prior to 6.0.2. The issue stems from the FilteredRelation feature, which is used to create filtered joins in Django ORM queries. The vulnerability occurs when column aliases are constructed using control characters embedded in dictionary keys passed as **kwargs to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This improper neutralization of special elements (CWE-89) allows an attacker to inject arbitrary SQL commands by manipulating these dictionary keys, which are expanded into SQL column aliases without sufficient sanitization. This can lead to unauthorized data access, data modification, or denial of service through crafted queries. Although earlier unsupported Django versions (5.0.x, 4.1.x, 3.2.x) were not evaluated, they may also be vulnerable. The vulnerability was responsibly disclosed by Solomon Kebede and no public exploits are known at this time. The lack of a CVSS score necessitates an independent severity assessment based on the potential impact and exploitability.

For European organizations, this vulnerability poses a significant risk due to Django's widespread use in web applications, including e-commerce, government portals, and enterprise systems. Exploitation could lead to unauthorized data disclosure, data corruption, or complete compromise of backend databases, impacting confidentiality, integrity, and availability. This could result in regulatory non-compliance under GDPR, financial losses, reputational damage, and operational disruptions. Attackers could exploit this vulnerability remotely without authentication or user interaction, increasing the threat surface. Organizations relying on vulnerable Django versions must consider the risk of targeted attacks, especially in sectors handling sensitive personal or financial data. The impact is amplified in environments where dynamic query generation is common and input validation is insufficient.

The primary mitigation is to upgrade Django installations to versions 4.2.28, 5.2.11, or 6.0.2 or later, where the vulnerability is patched. Organizations should audit their codebases for usage of FilteredRelation and related QuerySet methods with dynamic dictionary expansions and refactor to avoid passing untrusted input as dictionary keys. Implement strict input validation and sanitization on any user-controllable data used in query construction. Employ database-level protections such as least privilege access controls and query logging to detect suspicious activity. Conduct thorough security testing, including static code analysis and dynamic testing focused on ORM query generation. Additionally, monitor security advisories for any emerging exploits and apply patches promptly. For legacy systems where immediate upgrade is not feasible, consider isolating vulnerable applications and restricting access to trusted users only.