Skip to main content

DBIx::QuickORM CVE-2026-13766

| EUVDEUVD-2026-40295 CRITICAL
SQL Injection (CWE-89)
2026-06-30 CPANSec GHSA-gvp3-3684-gppw
9.8
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Network-reachable injection with no auth where an app exposes identifier inputs; full database read/write/DoS impact justifies C:H/I:H/A:H, consistent with the published 9.8.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 30, 2026 - 15:25 vuln.today
CVSS changed
Jun 30, 2026 - 15:22 NVD
9.8 (CRITICAL)
CVE Published
Jun 30, 2026 - 11:20 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers.

The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected.

A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.

AnalysisAI

SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint forwarding input to order_by
Delivery
Craft order_by with malicious sub-select
Exploit
Identifier injected into raw SQL
Execution
Database executes attacker subquery
Impact
Disclose or tamper with data

Vulnerability AssessmentAI

Exploitation Exploitation requires the integrating application to forward attacker-controlled input into one of the unquoted SQL identifier positions named in the advisory: order_by values, where-clause column keys, field lists, returning lists, upsert columns, or join aliases - the canonical example being a user-controlled order_by value. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting full confidentiality, integrity, and availability impact with no authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A web application built on DBIx::QuickORM exposes a sortable table and forwards the user-supplied sort parameter directly into the ORM's order_by argument. An attacker submits an order_by value containing a sub-select over columns the query never selected, making row order leak the contents of other columns or tables; the same identifier channel in where and update operations enables further disclosure and tampering. …
Remediation Upgrade DBIx::QuickORM to version 0.000026 or later, which is the vendor-released patch (commit 43d7684682050780f056f25e1879191fb0a3265e, see https://github.com/exodist/DBIx-QuickORM/commit/43d7684682050780f056f25e1879191fb0a3265e.patch and https://metacpan.org/release/EXODIST/DBIx-QuickORM-0.000026/changes). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems and applications using DBIx::QuickORM; identify those running versions before 0.000026. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13766 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy