GHSA-r3hx-x5rh-p9vv: django-haystack: Remote Code Execution via `eval()` in Elasticsearch Result Deserialization
Summary
django-haystack's Elasticsearch backend contains a remote code execution vulnerability where it calls `eval()` (a function that executes Python code from strings) on field values without proper validation. This happens when a SearchField uses an `index_fieldname` alias different from its logical name; the lookup fails and the raw value is passed to `eval()`. An attacker who can control indexed content and trigger a search can execute arbitrary code on the Django application.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-r3hx-x5rh-p9vv
First tracked: July 15, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 75%