An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. CREATE(Triage):(User=admin) CVE-2022-34265 (https://nvd.nist.gov/vuln/detail/CVE-2022-34265)
