CVE-2026-13766
DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers
Description
DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.
INFO
Published Date :
June 30, 2026, 11:20 a.m.
Last Modified :
June 30, 2026, 11:20 a.m.
Remotely Exploit :
No
Source :
CPANSec
Affected Products
The following products are affected by CVE-2026-13766
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Update DBIx::QuickORM to version 0.000026.
- Sanitize all user-supplied SQL identifiers.
- Avoid unquoted identifier positions for user input.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-13766 vulnerability anywhere in the article.