Back to blog
PythonDjangoSQL injection

Python and Django: why CVE-2025-64459 should be taken seriously

Published on 2026-04-116 min readFlorian

An important flaw in an ecosystem often seen as careful by default

Django has a strong security reputation. That is exactly why CVE-2025-64459 is worth studying. According to the Django-linked security release information and the NVD entry, QuerySet.filter(), exclude(), get(), and the Q() class could be subject to SQL injection when used with a specially crafted dictionary expanded into the _connector argument.

Why this matters

The lesson is not that Django ORM is broadly unsafe. The more useful lesson is that safe abstractions are still conditional. They reduce risk dramatically, but they do not remove it by magic when unusual usage patterns appear.

The CVE lists fixed versions including 5.1.14, 4.2.26, and 5.2.8.

What this says about Python web development

Python attracts many teams that value readability, delivery speed, and strong framework defaults. That is a good foundation. But that culture can also create too much confidence in higher-level abstractions.

As soon as usage drifts away from common patterns, disciplined review becomes necessary again.

The real lesson

With Django, many developers correctly believe they avoid a large class of classic SQL injection mistakes. But the right habit is not to say the ORM always protects us. The right habit is to know which security assumptions the ORM really guarantees, and which edge cases fall outside those assumptions.

What Django teams should verify

  • framework versions in production;
  • unusual uses of Q() and dictionary expansion;
  • shared helper code reused across projects;
  • internal applications that tend to receive less scrutiny than public products.

    • Our view

    CVE-2025-64459 is a strong Python web example because it hits a major trust anchor in the ecosystem: the belief that the framework absorbs almost all low-level query risk.

    The useful conclusion is not distrust Django. It is distrust broad certainty about what the framework covers in every edge case.

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    webSQL injection

    SQL injection: concrete examples and modern defenses

    How SQL injection works in 2026, the variants (union, blind, time-based), and real protections beyond prepared statements.

    2026-04-03 · 8 min read
    PostgreSQLdatabase

    PostgreSQL and CVE-2018-1058: why search_path is still an underestimated risk

    CVE-2018-1058 was not a classic SQL injection but a search_path and schema trust problem. Here is why this PostgreSQL flaw is still highly educational in 2026.

    2026-04-11 · 6 min read
    Argo CDGitOps

    Argo CD and CVE-2025-55190: when a project token can expose credentials

    CVE-2025-55190 showed that Argo CD project-scoped tokens could retrieve repository credentials. Here is why this case is critical.

    2026-04-11 · 6 min read

    Sources

    Written by Florian
    Reviewed on 2026-04-11

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    External Review

    Get a fast, clear read on your product’s real external exposure.

    Full Audit

    Document all priority flaws and get a real remediation plan.

    Ongoing Review

    Track new exposure as your stack changes over time.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit