CVE-2026-39356

EPSS 0.03%
Veröffentlicht 07.04.2026 19:58:46
Zuletzt bearbeitet 15.04.2026 17:19:47
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Drizzle ≫ Drizzle SwPlatformnode.js Version < 0.45.2

Drizzle ≫ Drizzle Version1.0.0 Updatebeta1 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta11 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta12 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta13 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta14 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta15 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta16 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta17 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta18 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta19 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta2 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta3 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta4 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta5 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta6 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta7 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta8 SwPlatformnode.js

Drizzle ≫ Drizzle Version1.0.0 Updatebeta9 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.094

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-39356

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39356

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39356

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39356