CVE-2026-13766
Received Received - Intake

SQL Injection in DBIx::QuickORM Perl Module

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: CPANSec

Description
DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-13766
EUVD
EUVD-2026-40295

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
exodist dbix_quickorm to 0.000026 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows SQL injection via unquoted SQL identifiers, which can lead to unauthorized data disclosure and tampering.

Such unauthorized access and manipulation of data can compromise the confidentiality and integrity of sensitive information, potentially violating compliance requirements of standards like GDPR and HIPAA that mandate protection of personal and health data.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to data breaches or unauthorized data modifications.

Executive Summary

CVE-2026-13766 is a SQL injection vulnerability in DBIx::QuickORM versions before 0.000026 for Perl. It occurs because the default SQL builder does not quote SQL identifiers such as column names, order_by clauses, where keys, and join aliases. This means that attacker-controlled input supplied to these identifier positions is included verbatim in the SQL query, allowing an attacker to inject malicious SQL code.

Specifically, the SQL::Abstract subclass used as the default SQL builder sets bindtype but never sets quote_char, so identifiers are not quoted. As a result, untrusted input forwarded to identifier positions like order_by or where-clause column keys can lead to SQL injection, enabling attackers to manipulate the query's behavior, such as changing row order or disclosing and tampering with data.

Impact Analysis

This vulnerability can allow an attacker to perform SQL injection attacks by injecting malicious SQL code through unquoted SQL identifiers. The impact includes the ability to manipulate the order of query results, disclose sensitive data, and tamper with data in the database.

Because attacker-controlled input can reach the SQL string raw in identifier positions, an attacker could craft inputs that execute sub-selects or modify where and update clauses, potentially leading to unauthorized data access or modification.

Detection Guidance

This vulnerability involves SQL injection via unquoted SQL identifiers in DBIx::QuickORM. Detection involves identifying if your application uses DBIx::QuickORM versions before 0.000026 and if it forwards untrusted input to SQL identifier positions such as order_by, where-clause column keys, field lists, upsert columns, or join aliases.

To detect exploitation attempts or presence of the vulnerability, you can monitor SQL queries for suspicious patterns where identifiers are not quoted and may contain injected SQL fragments.

Suggested commands include searching application logs or database query logs for unquoted identifiers or unusual SQL syntax in order_by or where clauses. For example, using grep or similar tools to find suspicious patterns:

  • grep -iE "order_by.*[;'"]" /path/to/app/logs/*
  • grep -iE "where.*[;'"]" /path/to/db/query/logs/*

Additionally, review application source code for usage of DBIx::QuickORM methods that accept user input in identifier positions without proper quoting.

Mitigation Strategies

The primary mitigation is to upgrade DBIx::QuickORM to version 0.000026 or later, where the vulnerability is fixed by enforcing quoting of all SQL identifiers.

If immediate upgrade is not possible, ensure that any user input forwarded to SQL identifier positions (order_by, where-clause keys, field lists, upsert columns, join aliases) is properly sanitized or restricted to safe values.

Review and modify application code to avoid passing raw user input as plain strings in identifier positions. Instead, use scalar references or hash forms as recommended by the patch to safely quote identifiers.

Monitor and audit SQL queries for suspicious unquoted identifiers and injection attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart