From c34a85699b22f68691988dde7db24dd946c43128 Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Thu, 5 Feb 2026 17:05:49 +0100
Subject: [PATCH] =?UTF-8?q?=E2=AC=86=EF=B8=8F(backend)=20upgrade=20Django?=
 =?UTF-8?q?=20to=20address=20multiple=20high-severity=20CVEs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This update fixes several SQL injection vulnerabilities, including issues in
RasterField band index handling and crafted column aliases (notably in
QuerySet.order_by()), as reported in CVE-2026-1207, CVE-2026-1287, and
CVE-2026-1312.
---
 src/backend/pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/backend/pyproject.toml b/src/backend/pyproject.toml
index a2bfaaed..14ab34f7 100644
--- a/src/backend/pyproject.toml
+++ b/src/backend/pyproject.toml
@@ -38,7 +38,7 @@ dependencies = [
     "django-redis==6.0.0",
     "django-storages[s3]==1.14.6",
     "django-timezone-field>=5.1",
-    "django==5.2.9",
+    "django==5.2.11",
     "djangorestframework==3.16.1",
     "drf_spectacular==0.29.0",
     "dockerflow==2024.4.2",