HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13766Published Modified CNA CPANSec

CVE-2026-13766: DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0.000026
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

SQL injection via unquoted SQL identifiers affects DBIx::QuickORM for Perl in all versions before 0.000026. The vulnerability is reachable over the network with no authentication required, because the library's default SQL builder never sets a quote character, allowing caller-supplied identifiers such as order_by values, column keys, field lists, and join aliases to flow into the generated SQL string without escaping. Successful exploitation gives an attacker the ability to read arbitrary data, modify persisted rows, and potentially disrupt the application. A patched-image rebuild at version 0.000026 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-13766 is available across every HarborGuard environment; the CVE is ingested from upstream feeds (including CPANSec) within minutes of publication and matched against all customer images, including custom-built images that bundle DBIx::QuickORM as a dependency. Any image layer containing a vulnerable version of the package is flagged automatically during both registry scans and pipeline build-time checks.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and surfaces it accordingly in each customer's findings queue, weighted against that environment's compliance policy to reflect actual risk posture. Routing rules within each customer organization direct the finding to the appropriate team inbox based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at DBIx::QuickORM 0.000026 becomes available on HarborGuard as soon as the upstream fix is indexed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable library is consumed by a network-accessible application, so an attacker must be able to reach the service over the network to supply malicious identifier input.

  • AuthenticationNot required

    No credentials are needed; any unauthenticated request that reaches an identifier-accepting endpoint is sufficient to trigger the injection.

  • Victim interactionNot required

    No user action is needed; the attacker sends a crafted request directly to the application without involving a victim.

  • Attack complexityDetail

    Exploit complexity is low; no race conditions, special memory layout, or environmental preconditions are required, making the attack reliable and repeatable.

Blast Radius

  • An attacker reads arbitrary database rows, including columns never intended to be returned by the vulnerable query, by injecting sub-selects through the order_by or where identifier positions.
  • An attacker modifies persisted database rows by injecting into update or upsert identifier positions, corrupting application state or user records.
  • An attacker enumerates schema structure (table names, column names) by crafting injected sub-selects that leak metadata through observable query behavior.
  • Complete confidentiality, integrity, and availability of the backing database are at risk, matching the CVSS v3.1 C:H/I:H/A:H impact ratings.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-13766 is active across all connected registries and build pipelines, with the finding scored at 9.8 CRITICAL and routed according to each environment's compliance policy. Where auto-remediation is enabled, HarborGuard rebuilds affected images at DBIx::QuickORM 0.000026, runs regression tests, and opens a pull request against impacted workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes. For environments where auto-remediation is not enabled or is gated by policy approval, the finding appears in the findings queue with remediation guidance pointing to the 0.000026 release. As a compensating control while a rebuild is pending, consider restricting network access to services that expose identifier-accepting endpoints (order_by, column key inputs) and validating or allowlisting identifier values at the application layer before they reach DBIx::QuickORM.

See how HarborGuard automates this

Fix available

0.000026
Patch commits
Affected packages
  • EXODIST / DBIx::QuickORM
    < 0.000026 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References