Impact
The flaw stems from the SQL builder in DBIx::QuickORM not quoting SQL identifiers, so caller-supplied identifiers are emitted verbatim. This enables an attacker to inject arbitrary SQL through inputs such as order_by, where‑clause column keys, field lists, or join aliases. The effect is potentially severe data tampering or exposure, and the weakness is classified as CWE‑89.
Affected Systems
Any installation of EXODIST's DBIx::QuickORM for Perl that uses a version earlier than 0.000026 and accepts external input as an identifier is at risk.
Risk and Exploitability
An attacker who can influence any identifier parameter can directly inject SQL, making exploitation straightforward. The CVSS score of 9.8 indicates a high severity. Although no EPSS score is available and the vulnerability is not yet in CISA's KEV catalog, the lack of input validation and quoting raises the probability of exploitation and the impact is high. Security teams should assume a high risk and promptly validate or restrict identifier inputs.
OpenCVE Enrichment