CVE-2026-26198 in ormarinfo

Zusammenfassung

von MITRE • 24.02.2026

Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

11.02.2026

Veröffentlichung

24.02.2026

Moderieren

akzeptiert

Eintrag

VDB-347431

CPE

bereit

CWE

CWE-89 (bestätigt)

CVSS

9.8 (CNA)

EPSS

0.00024

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-26198
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-26198
CVE Details	https://www.cvedetails.com/cve/CVE-2026-26198/

◂ Zurück Übersicht Weiter ▸

Might our Artificial Intelligence support you?

Check our Alexa App!