AAP-64830: fixes CVE-2026-1207, CVE-2026-1287, CVE-2026-1312.

[omaciel]

Jira Issue: https://issues.redhat.com/browse/AAP-64830
Jira Issue: https://issues.redhat.com/browse/AAP-64841
Jira Issue: https://issues.redhat.com/browse/AAP-64845

Description

Handles the following issues:

• CVE-2026-1207 Django: SQL Injection via RasterField band index parameter
• CVE-2026-1287 Django: SQL Injection via crafted column aliases
• CVE-2026-1312 Django: SQL injection via crafted column aliases in QuerySet.order_by()

Testing

Steps to test

1. Pull down the PR
2. ...
3. ...

Type of Change

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to break)
• Security fix
• Performance improvement
• Code refactoring
• Documentation update
• CI/CD update

Backport Policy

This change should be:

• Not backported - main/master only
• Backported to specific releases (add labels after merge)

Automated Backport Instructions

After this PR is merged, add one or more labels to automatically create backport PRs:

• backport/stable-2.4 - Backport to stable-2.4 branch
• backport/stable-2.5 - Backport to stable-2.5 branch
• backport/stable-2.6 - Backport to stable-2.6 branch
• backport/all - Backport to all active stable branches
• no-backport - Explicitly mark as not needing backport

Backport Justification

Special backport considerations:

Scenarios tested

Production deployment

• This code change is ready for production on its own
• This code change requires the following considerations before going to production:

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud