Skip to main content

Dbix

1 CVEs product

Monthly

CVE-2026-13766 CRITICAL PATCH Act Now

SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. An application that forwards untrusted input into any of these identifier positions exposes data disclosure and tampering; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

SQLi Dbix
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.4%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. An application that forwards untrusted input into any of these identifier positions exposes data disclosure and tampering; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

SQLi Dbix
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy