Here are some news items our team found interesting over the past week, which you might have missed.
-
Django is vulnerable to SQL injection in column aliases (CVE-2025-59681, CVSS 7.1) when passing an attacker-controlled dictionary via
**kwargstoQuerySet.annotate(),alias(),aggregate(), orextra()on MySQL or MariaDB. Affected: 4.2 < 4.2.25, 5.1 < 5.1.13, 5.2 < 5.2.7. See the Django 5.2.7 release notes and the GHSA advisory GHSA-hpr9-3m2g-3j9p for more information. Upgrade immediately to 4.2.25, 5.1.13, or 5.2.7 to repair. -
FreshRSS allowed creation of an admin account via self-registration (CVE-2025-54875, CVSS 9.8), due to abuse of a hidden field intended for admin use (
new_user_is_admin). Only exploitable if self-registration feature is enabled and available to a potential attacker. Affected: 1.16.0–1.26.3. Fixed in 1.27.0: upgrade promptly if impacted.
Django SQL injection in column aliases (CVE-2025-59681)
Django is vulnerable to SQL injection in column aliases (CVE-2025-59681, CVSS 7.1) when passing an attacker-controlled dictionary via **kwargs to QuerySet.annotate(), alias(), aggregate(), or extra() on MySQL or MariaDB. Affected: 4.2 < 4.2.25, 5.1 < 5.1.13, 5.2 < 5.2.7. See the Django 5.2.7 release notes and the GHSA advisory GHSA-hpr9-3m2g-3j9p for more information. Upgrade immediately to 4.2.25, 5.1.13, or 5.2.7 to repair.
If user-controlled data includes alias names in those APIs, an attacker can inject SQL tokens into generated statements on MySQL/MariaDB. That can alter query logic, exfiltrate data, or tamper with results; PostgreSQL and SQLite are not affected. Review code where alias names are built from request data or template variables. Audit DB logs for unusual alias identifiers or injected characters in AS <alias> near complex annotations.
If unable to repair immediately: stop passing user input into alias names (this is a good idea in any case), enforce a fixed allow-list of alias strings, and restrict DB user privileges for Django. Add tests that build queries with hostile alias inputs and ensure no SQL meta-characters appear.
FreshRSS admin creation via hidden field (CVE-2025-54875)
FreshRSS allowed creation of an admin account via self-registration (CVE-2025-54875, CVSS 9.8), due to abuse of a hidden field intended for admin use (new_user_is_admin). Only exploitable if self-registration feature is enabled and available to a potential attacker. Affected: 1.16.0–1.26.3. Fixed in 1.27.0: upgrade promptly if impacted.
An unauthenticated attacker could register and escalate to admin by including the hidden field in the registration request. Instances are at risk only if “allow user registration” is enabled and exposed publicly, but this is a common configuration. To assess impact, check HTTP access logs for registration POSTs that include new_user_is_admin=1, and audit for any unexpected admin accounts created recently. 
Until upgraded: disable self-registration; place the registration route behind SSO, reverse-proxy auth, or similar gate. Since registering a new admin user should not be self-service, consider blocking the new_user_is_admin parameter entirely via HTTP server configuration, reverse proxy, or WAF rule. After patching, review admin accounts and rotate admin passwords and API tokens. 
This is a great lesson on the importance of design review to security: this would be challenging for many automated code-review tools to catch, since it’s a question of understanding programmer intent and how the implementation could be subverted to violate that intent.
Note: for the first time ever in this series, and as an experiment, the contents of this post were originally generated by an LLM and then heavily edited by the author. Let us know what you think!