VIR Vulnerability Intelligence Relay

CVE-2026-26198

unknown
Published 2026-02-23 Β· Modified 2026-02-24
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
β€”

Description

Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.

Predictions

Exploit likelihood
30%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker Β· View original β†— Β· DFSG

CVE-2026-26198 NameCVE-2026-26198 DescriptionOrmar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the…

CVE-2026-26198

NameCVE-2026-26198
DescriptionOrmar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1129259

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ormar (PTS)bookworm0.12.0-3vulnerable
forky, sid0.24.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ormarsource(unstable)0.23.0-11129259

Notes

[bookworm] - ormar <no-dsa> (Minor issue)
https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr
Fixed by: https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16 (0.23.0)

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
[bookworm] - ormar <no-dsa> (Minor issue)https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqrFixed by: https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16 (0.23.0)

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianforkyfixed0.23.0-1
debian debiansidfixed0.23.0-1

Package impact
EcosystemPackageVulnerableFixed
python PyPIormar>=0.9.9,<0.23.00.23.0

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.