SQL Injection Vulnerability in DBIx::QuickORM for Perl
CVE-2026-13766

9.8CRITICAL

Key Information:

Vendor: Exodist
Status: Dbix::quickorm
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-13766?

The DBIx::QuickORM library for Perl is susceptible to SQL injection due to the handling of unquoted SQL identifiers. Specifically, the default SQL builder, a subclass of SQL::Abstract, does not properly quote identifiers, allowing an attacker to inject malicious SQL code through user-controlled inputs such as order_by values and other identifier positions. This vulnerability can lead to unauthorized data disclosure and tampering, enabling attackers to manipulate query behavior to extract sensitive data.

Affected Version(s)

DBIx::QuickORM 0 < 0.000026

References

https://github.com/exodist/DBIx-QuickORM/commit/43d768468...

patch

https://metacpan.org/release/EXODIST/DBIx-QuickORM-0.0000...

release-notes

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 29, 2026

CVE-2026-13766 Data

JSON

Exodist

What is CVE-2026-13766?

Affected Version(s)

References

CVSS V3.1

Timeline