Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable injection with no auth where an app exposes identifier inputs; full database read/write/DoS impact justifies C:H/I:H/A:H, consistent with the published 9.8.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers.
The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected.
A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.
AnalysisAI
SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the integrating application to forward attacker-controlled input into one of the unquoted SQL identifier positions named in the advisory: order_by values, where-clause column keys, field lists, returning lists, upsert columns, or join aliases - the canonical example being a user-controlled order_by value. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting full confidentiality, integrity, and availability impact with no authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A web application built on DBIx::QuickORM exposes a sortable table and forwards the user-supplied sort parameter directly into the ORM's order_by argument. An attacker submits an order_by value containing a sub-select over columns the query never selected, making row order leak the contents of other columns or tables; the same identifier channel in where and update operations enables further disclosure and tampering. … |
| Remediation | Upgrade DBIx::QuickORM to version 0.000026 or later, which is the vendor-released patch (commit 43d7684682050780f056f25e1879191fb0a3265e, see https://github.com/exodist/DBIx-QuickORM/commit/43d7684682050780f056f25e1879191fb0a3265e.patch and https://metacpan.org/release/EXODIST/DBIx-QuickORM-0.000026/changes). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems and applications using DBIx::QuickORM; identify those running versions before 0.000026. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40295
GHSA-gvp3-3684-gppw