CVE-2026-40102

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F expression without validation unlike the regular AnalyticsEndpoint, which checks against an allowlist, causing ORM Field...

PT-2026-42269

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F expression without validation unlike the regular AnalyticsEndpoint, which checks against an allowlist, causing ORM Field...

PT-2026-31003

Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or...

CVE-2026-34613 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugin...

sql-injection-corpus

SQL Injection Corpus - User Guide Overview This corpus con...

EUVD-2026-8907

wger: IDOR in nutritionalvalues endpoints exposes private dietary data via direct ORM lookup...

GHSA-G8GC-6C4H-JG86 wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup

Summary Three nutritionalvalues action endpoints fetch objects via Model.objects.getpk=pk — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitra...

CVE-2026-27839 wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three nutritionalvalues action endpoints fetch objects via Model.objects.getpk=pk — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition...

Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State

Summary Description A Mass Assignment CWE-915 vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or...

Object-Relational Mapping (ORM) Leak

An Object-Relational Mapping ORM Leak vulnerability occurs when an application does not properly control how user-provided data is passed to the ORM. An attacker can exploit this by manipulating input parameters to query fields that are not intended to be exposed. This can lead to the disclosure ...

EUVD-2019-0268

Malware in sbrugna...

EUVD-2019-0359

Malware in sbrugna...

CVE-2023-47128 piccolo SQL Injection via named transaction savepoints

Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name...

CVE-2023-47128

Piccolo ORM (Python) before 1.1.1 is vulnerable to SQL injection via named transaction savepoints. The root cause is building and executing SAVEPOINT commands with user-supplied input using f-strings, which can lead to arbitrary read/modify operations and even server compromise per the descriptio...

CVE-2023-47128 piccolo SQL Injection via named transaction savepoints

Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name...

Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution

Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution RCE on vulnerable systems. "These SQL injections happened despite the use of an Object-Relational Mapping ORM library and prepared statements," SonarSource researcher Thomas...

CVE-2022-2808

CVE-2022-2808 affects the Algan Software Prens Student Information System prior to version 2.1.11. The connected PT-2022-18798 entry clarifies the issue as an Authorization Bypass Through User-Controlled Key vulnerability that enables Object-Relational Mapping Injection and is accompanied by an a...

CVE-2022-2808 IDOR in Prens Student Information System

Authorization Bypass Through User-Controlled Key vulnerability in Algan Software Prens Student Information System allows Object Relational Mapping Injection. This issue affects Prens Student Information System: before 2.1.11...

CVE-2022-2808

Authorization Bypass Through User-Controlled Key vulnerability in Algan Software Prens Student Information System allows Object Relational Mapping Injection. This issue affects Prens Student Information System: before 2.1.11...

CVE-2022-2808

Authorization Bypass Through User-Controlled Key vulnerability in Algan Software Prens Student Information System allows Object Relational Mapping Injection. This issue affects Prens Student Information System: before 2.1.11...