From 374674476a8ed0dea19729c4c3d8f77ca3bd75ad Mon Sep 17 00:00:00 2001
From: Nguyen Anh Binh <socrat.nguyenanhbinh@gmail.com>
Date: Fri, 27 Feb 2026 09:20:38 +0700
Subject: [PATCH] fix: set Django minimum version to 4.2.26 to address
 CVE-2025-64459 and CVE-2025-57833

The current lower bound Django>=4.2,<4.3 allows installing versions
vulnerable to two SQL injection CVEs:

CVE-2025-64459 (CVSS 9.1): SQL injection via Q() and QuerySet.filter()
keyword argument unpacking. When _connector or _negated are passed as
keys, an attacker can manipulate the WHERE clause logic, enabling
authentication bypass and data exfiltration. Fixed in 4.2.26.

CVE-2025-57833 (CVSS high): SQL injection via FilteredRelation alias
injection in QuerySet.annotate() and QuerySet.alias(). Fixed in 4.2.24.

Bumping to >=4.2.26 ensures both CVEs are addressed under the 4.2.x branch.
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 21dc565b14..0babc018d3 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,7 +5,7 @@ pbr>=5.5.0 # Apache-2.0
 
 # Horizon Core Requirements
 Babel>=2.6.0 # BSD
-Django>=4.2,<4.3 # BSD
+Django>=4.2.26,<4.3 # BSD
 django-compressor>=4.4 # MIT
 django-debreach>=1.4.2 # BSD License (2 clause)
 futurist>=1.2.0 # Apache-2.0