October 1, 2025
Django 5.2.7 fixes one security issue with severity « high », one security issue with severity « low », and one bug in 5.2.6. Also, the latest string translations from Transifex are incorporated.
QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB¶QuerySet.annotate(), alias(),
aggregate(), and extra() methods were subject
to SQL injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods (follow up to
CVE 2022-28346).
archive.extract()¶The django.utils.archive.extract() function, used by
startapp --template and startproject --template, allowed
partial directory-traversal via an archive with file paths sharing a common
prefix with the target directory (follow up to CVE 2021-3281).
Fixed a regression in Django 5.2 that reduced the color contrast of
the chosen label of filter_horizontal and filter_vertical widgets
within a TabularInline (#36601).
déc. 03, 2025