Description
DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers.
The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected.
A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.
The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected.
A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.
Published:
2026-06-30
Score:
n/a
EPSS:
n/a
KEV:
No
Impact:
n/a
Action:
n/a
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| EXODIST | DBIx::QuickORM | unaffected |
|
No data.
No data.
No data available yet.
Remediation
Vendor Solution
Upgrade to DBIx::QuickORM 0.000026 or later.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Tue, 30 Jun 2026 11:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering. | |
| Title | DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers | |
| Weaknesses | CWE-89 | |
| References |
|
Subscriptions
No data.
MITRE
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-06-30T11:20:35.463Z
Reserved: 2026-06-29T19:58:43.298Z
Link: CVE-2026-13766
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-06-30T13:00:04Z
Weaknesses