{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"MEDIUM"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"A SQL injection vulnerability exists in the FilteredRelation component of the Django framework. An attacker can execute arbitrary SQL commands by manipulating column aliases through a specially crafted dictionary containing control characters, passed via dictionary expansion as the **kwargs argument to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This could lead to unauthorized database access, sensitive data disclosure, or data tampering. Affected versions include Django 6.0 series (from 6.0a1 up to, but not including, 6.0.2), 5.2 series (from 5.2a1 up to, but not including, 5.2.11), and 4.2 series (from 4.2a1 up to, but not including, 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.",
				"category":"general",
				"title":"Synopsis"
			}
		],
		"publisher":null,
		"references":[
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1287"
			},
			{
				"summary":"CVE-2026-1287 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/cve/2026/csaf-openeuler-cve-2026-1287.json"
			},
			{
				"summary":"openEuler-SA-2026-1507",
				"category":"self",
				"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507"
			},
			{
				"summary":"CVE-2026-1287",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1287&packageName=python-django"
			}
		],
		"title":"openEuler cve CVE-2026-1287",
		"tracking":{
			"initial_release_date":"2026-03-09T15:10:56+08:00",
			"revision_history":[
				{
					"date":"2026-03-09T15:10:56+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				}
			],
			"generator":{
				"date":"2026-03-09T15:10:56+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2026-03-09T15:10:56+08:00",
			"id":"CVE-2026-1287",
			"version":"1.0.0",
			"status":"interim"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4"
									},
									"product_id":"openEuler-20.03-LTS-SP4",
									"name":"openEuler-20.03-LTS-SP4"
								},
								"name":"openEuler-20.03-LTS-SP4",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"noarch",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4"
									},
									"product_id":"python-django-help-2.2.27-21.oe2003sp4.noarch.rpm",
									"name":"python-django-help-2.2.27-21.oe2003sp4.noarch.rpm"
								},
								"name":"python-django-help-2.2.27-21.oe2003sp4.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4"
									},
									"product_id":"python3-Django-2.2.27-21.oe2003sp4.noarch.rpm",
									"name":"python3-Django-2.2.27-21.oe2003sp4.noarch.rpm"
								},
								"name":"python3-Django-2.2.27-21.oe2003sp4.noarch.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4"
									},
									"product_id":"python-django-2.2.27-21.oe2003sp4.src.rpm",
									"name":"python-django-2.2.27-21.oe2003sp4.src.rpm"
								},
								"name":"python-django-2.2.27-21.oe2003sp4.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP4",
				"product_reference":"python-django-help-2.2.27-21.oe2003sp4.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP4:python-django-help-2.2.27-21.oe2003sp4.noarch",
					"name":"python-django-help-2.2.27-21.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP4",
				"product_reference":"python3-Django-2.2.27-21.oe2003sp4.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP4:python3-Django-2.2.27-21.oe2003sp4.noarch",
					"name":"python3-Django-2.2.27-21.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-20.03-LTS-SP4",
				"product_reference":"python-django-2.2.27-21.oe2003sp4.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-20.03-LTS-SP4:python-django-2.2.27-21.oe2003sp4.src",
					"name":"python-django-2.2.27-21.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2026-1287",
			"notes":[
				{
					"text":"A SQL injection vulnerability exists in the FilteredRelation component of the Django framework. An attacker can execute arbitrary SQL commands by manipulating column aliases through a specially crafted dictionary containing control characters, passed via dictionary expansion as the **kwargs argument to QuerySet methods such as annotate(), aggregate(), extra(), values(), values_list(), and alias(). This could lead to unauthorized database access, sensitive data disclosure, or data tampering. Affected versions include Django 6.0 series (from 6.0a1 up to, but not including, 6.0.2), 5.2 series (from 5.2a1 up to, but not including, 5.2.11), and 4.2 series (from 4.2a1 up to, but not including, 4.2.28). Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-20.03-LTS-SP4:python-django-help-2.2.27-21.oe2003sp4.noarch",
					"openEuler-20.03-LTS-SP4:python3-Django-2.2.27-21.oe2003sp4.noarch",
					"openEuler-20.03-LTS-SP4:python-django-2.2.27-21.oe2003sp4.src"
				]
			},
			"remediations":[
				{
					"product_ids":[
						"openEuler-20.03-LTS-SP4:python-django-help-2.2.27-21.oe2003sp4.noarch",
						"openEuler-20.03-LTS-SP4:python3-Django-2.2.27-21.oe2003sp4.noarch",
						"openEuler-20.03-LTS-SP4:python-django-2.2.27-21.oe2003sp4.src"
					],
					"details":"python-django security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"MEDIUM",
						"baseScore":5.4,
						"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
						"version":"3.1"
					},
					"products":[
						"openEuler-20.03-LTS-SP4:python-django-help-2.2.27-21.oe2003sp4.noarch",
						"openEuler-20.03-LTS-SP4:python3-Django-2.2.27-21.oe2003sp4.noarch",
						"openEuler-20.03-LTS-SP4:python-django-2.2.27-21.oe2003sp4.src"
					]
				}
			],
			"threats":[
				{
					"details":"Medium",
					"category":"impact"
				}
			],
			"title":"CVE-2026-1287"
		}
	]
}