13 matches found
CVE-2026-39356
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or...
SQL Injection
Overview drizzle-orm is a Drizzle ORM package for SQL databases Affected versions of this package are vulnerable to SQL Injection through the escapeName handling in the PostgreSQL, SQLite, and SingleStore dialects. An attacker can inject arbitrary SQL by supplying a malicious identifier to...
GHSA-GPJ5-G38J-94V9 Drizzle ORM has SQL injection via improperly escaped SQL identifiers
Summary Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled...
EUVD-2026-19909
Drizzle ORM has SQL injection via improperly escaped SQL identifiers...
Drizzle ORM has SQL injection via improperly escaped SQL identifiers
Summary Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled...
0xble (>=21.4.1 <=22.1.2), @10xsai/ts-serverless (>=0.1.0 <=0.1.1) +1432 more potentially affected by CVE-2026-39356 via drizzle-orm (>=0.37.0 <=0.45.1)
drizzle-orm NPM version =0.37.0, =21.4.1, =0.1.0, =0.1.0, =1.0.10, =0.22.5, =0.1.0, =1.16.47, =1.16.47, =0.19.0, =1.0.0, =0.0.6, =0.1.0, =0.4.2, =0.2.0, =0.12.0 and more Source cves: CVE-2026-39356 Source advisory: SNYK:JS-DRIZZLEORM-16000009...
0xble (>=21.4.1 <=22.1.2), 5e-srd-tools (>=0.0.4 <=0.0.34) +2004 more potentially affected by CVE-2026-39356 via drizzle-orm (>=0.11.6 <=0.45.1)
drizzle-orm NPM version =0.11.6, =21.4.1, =0.0.4, =0.0.1, =0.1.0, =0.1.0, =1.0.10, =0.22.5, =0.1.0, =1.16.47, =1.16.47, =0.19.0, =1.0.0, =1.0.0, =0.0.6, =1.1.1-0 - @aeriondyseti/mcp-memory =0.1.0 and more Source cves: CVE-2026-39356 Source advisory: OSV:GHSA-GPJ5-G38J-94V9...
CVE-2026-39356
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or...
CVE-2026-39356
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or...
CVE-2026-39356 SQL Injection via escapeName() in all Drizzle ORM SQL dialects
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or...
CVE-2026-39356
CVE-2026-39356 affects Drizzle ORM. Prior to 0.45.2 and 1.0.0-beta.20, dialect-specific escapeName() did not escape embedded SQL identifier delimiters before quoting, enabling injection when attacker-controlled input reaches APIs that construct SQL identifiers or aliases (e.g., sql.identifier(), ...
CVE-2026-39356 SQL Injection via escapeName() in all Drizzle ORM SQL dialects
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or...
drizzle-orm SQL注入漏洞
Drizzle-ORM is a lightweight, multi-database-supported TypeScript ORM project developed by the Drizzle Team. Versions of drizzle-orm prior to 0.45.2 and 1.0.0-beta.20 contain a SQL injection vulnerability. This vulnerability arises from the improper escaping of SQL identifiers in the escapeName...