Lucene search
K

6 matches found

Cvelist
Cvelist
added 2026/06/30 11:20 a.m.31 views

CVE-2026-13766 DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quotechar, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers orderby, where-claus...

0.0035EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/30 11:20 a.m.6 views

EUVD-2026-40295

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quotechar, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers orderby, where-claus...

9.8CVSS5.8AI score0.0035EPSS
Exploits0References2
CVE
CVE
added 2026/06/30 11:20 a.m.20 views

CVE-2026-13766

Summary: CVE-2026-13766 affects DBIx::QuickORM prior to 0.000026 for Perl. The default SQL builder (SQL::Abstract subclass) does not set quote_char, causing unquoted identifiers (order_by, where keys, field/returning lists, upsert columns, join aliases) to be emitted verbatim and fed into the SQL...

9.8CVSS5.8AI score0.0035EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53847

Name of the Vulnerable Software and Affected Versions DBIx::QuickORM versions prior to 0.000026 Description An issue exists where SQL identifiers are emitted verbatim into generated queries without proper quoting or escaping. This occurs because the default SQL builder, a SQL::Abstract subclass,...

9.8CVSS5.8AI score0.0035EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/13 7:22 p.m.8 views

CVE-2026-42550

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...

8.8CVSS6AI score0.00396EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/02/28 10:16 p.m.4 views

CVE-2026-28562

wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::gettopics where the ORDER BY clause relies on ineffective escsql sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials...

9.8CVSS0.00428EPSS
Exploits0References3
Rows per page
Query Builder