Ah, no. Not even close to being vulnerable to SQL injection :)

https://github.com/emre/dpoll.xyz/blob/master/dpoll/polls/utils.py#L271

Also, Django ORM prevents SQL injection attacks with prepared queries as long as the library user doesn't execute raw queries.

The real problem with the current implementation is that the app gets all votes then filter them in a for loop. That doesn't matter in such a small scale like dPoll's but it should be done on database level. (more efficient and less code.)