Description
DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers.

The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected.

A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.
Published: 2026-06-30
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw stems from the SQL builder in DBIx::QuickORM not quoting SQL identifiers, so caller-supplied identifiers are emitted verbatim. This enables an attacker to inject arbitrary SQL through inputs such as order_by, where‑clause column keys, field lists, or join aliases. The effect is potentially severe data tampering or exposure, and the weakness is classified as CWE‑89.

Affected Systems

Any installation of EXODIST's DBIx::QuickORM for Perl that uses a version earlier than 0.000026 and accepts external input as an identifier is at risk.

Risk and Exploitability

An attacker who can influence any identifier parameter can directly inject SQL, making exploitation straightforward. The CVSS score of 9.8 indicates a high severity. Although no EPSS score is available and the vulnerability is not yet in CISA's KEV catalog, the lack of input validation and quoting raises the probability of exploitation and the impact is high. Security teams should assume a high risk and promptly validate or restrict identifier inputs.

Generated by OpenCVE AI on June 30, 2026 at 16:24 UTC.

Remediation

Vendor Solution

Upgrade to DBIx::QuickORM 0.000026 or later.


OpenCVE Recommended Actions

  • Upgrade DBIx::QuickORM to version 0.000026 or later.
  • Validate and whitelist all identifier inputs (order_by, column names, etc.) before they are passed to the library; reject or encode any unexpected values.
  • If upgrading or input validation is not feasible, replace the current SQL builder with a module that properly quotes identifiers (for example, SQL::Abstract with quote_char set) or implement a wrapper that forces quoting for dynamic identifiers.

Generated by OpenCVE AI on June 30, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.
Title DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers
Weaknesses CWE-89
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-30T17:35:42.702Z

Reserved: 2026-06-29T19:58:43.298Z

Link: CVE-2026-13766

cve-icon Vulnrichment

Updated: 2026-06-30T17:35:42.702Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:30:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')