VYPR
Critical severity9.8NVD Advisory· Published Feb 3, 2020· Updated Jun 17, 2026

CVE-2020-7471

CVE-2020-7471

Description

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
DjangoPyPI
< 1.11.281.11.28
DjangoPyPI
>= 2.0, < 2.2.102.2.10
DjangoPyPI
>= 3.0, < 3.0.33.0.3

Affected products

239

Patches

Vulnerability mechanics

References

24

News mentions

0

No linked articles in our index yet.