September 3, 2025
Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5.
FilteredRelation column aliases¶FilteredRelation was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
**kwargs passed to QuerySet.annotate() or QuerySet.alias().
Fixed a bug where using QuerySet.values() or values_list() with a
ForeignObject composed of multiple fields returned incorrect results
instead of tuples of the referenced fields (#36431).
11月 21, 2025