django is vulnerable to SQL injection. The library directly passes the user input directly to the QuerySet.annotate(), aggregate(), and extra() methods, allowing an attacker to inject malicious SQL query in column aliases via a malicious dictionary as the passed **kwargs.
www.openwall.com/lists/oss-security/2022/04/11/1
docs.djangoproject.com/en/4.0/releases/security/
github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d
groups.google.com/forum/#!forum/django-announce
lists.debian.org/debian-lts-announce/2022/04/msg00013.html
security.netapp.com/advisory/ntap-20220609-0002/
www.debian.org/security/2022/dsa-5254
www.djangoproject.com/weblog/2022/apr/11/security-releases/
www.openwall.com/lists/oss-security/2022/04/11/1