The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected.
A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.
Analysis and contextual insights are available on OpenCVE Cloud.
Vendor Solution
Upgrade to DBIx::QuickORM 0.000026 or later.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Exodist
Exodist dbix::quickorm |
|
| Vendors & Products |
Exodist
Exodist dbix::quickorm |
Tue, 30 Jun 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Tue, 30 Jun 2026 11:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering. | |
| Title | DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers | |
| Weaknesses | CWE-89 | |
| References |
|
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-06-30T17:35:42.702Z
Reserved: 2026-06-29T19:58:43.298Z
Link: CVE-2026-13766
Updated: 2026-06-30T17:35:42.702Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T10:01:48Z