Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by collerek
CVE-2026-27953 (GCVE-0-2026-27953)
Vulnerability from cvelistv5 – Published: 2026-03-19 20:23 – Updated: 2026-03-20 18:10
VLAI
Title
ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor
Summary
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.
Severity
7.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/ormar-orm/ormar/security/advis… | x_refsource_CONFIRM |
| https://github.com/ormar-orm/ormar/commit/7f22aa2… | x_refsource_MISC |
| https://github.com/ormar-orm/ormar/blob/master/ex… | x_refsource_MISC |
| https://github.com/ormar-orm/ormar/blob/master/or… | x_refsource_MISC |
| https://github.com/ormar-orm/ormar/blob/master/or… | x_refsource_MISC |
| https://github.com/ormar-orm/ormar/blob/master/or… | x_refsource_MISC |
| https://github.com/ormar-orm/ormar/blob/master/or… | x_refsource_MISC |
| https://github.com/ormar-orm/ormar/blob/master/or… | x_refsource_MISC |
| https://github.com/ormar-orm/ormar/releases/tag/0.23.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27953",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T17:04:35.323858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:10:57.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ormar",
"vendor": "ormar-orm",
"versions": [
{
"status": "affected",
"version": "\u003c 0.23.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting \"__pk_only__\": true into a JSON request body. By injecting \"__pk_only__\": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar\u0027s canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T20:23:06.379Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8"
},
{
"name": "https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3"
},
{
"name": "https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55"
},
{
"name": "https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41"
},
{
"name": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108"
},
{
"name": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89"
},
{
"name": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128"
},
{
"name": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292"
},
{
"name": "https://github.com/ormar-orm/ormar/releases/tag/0.23.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ormar-orm/ormar/releases/tag/0.23.1"
}
],
"source": {
"advisory": "GHSA-f964-whrq-44h8",
"discovery": "UNKNOWN"
},
"title": "ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27953",
"datePublished": "2026-03-19T20:23:06.379Z",
"dateReserved": "2026-02-25T03:11:36.691Z",
"dateUpdated": "2026-03-20T18:10:57.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26198 (GCVE-0-2026-26198)
Vulnerability from cvelistv5 – Published: 2026-02-24 02:03 – Updated: 2026-02-24 20:35
VLAI
Title
ormar is vulnerable to SQL Injection through aggregate functions min() and max()
Summary
Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/collerek/ormar/security/adviso… | x_refsource_CONFIRM |
| https://github.com/collerek/ormar/commit/a03bae14… | x_refsource_MISC |
| https://github.com/collerek/ormar/releases/tag/0.23.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26198",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T20:29:06.990744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T20:35:44.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ormar",
"vendor": "collerek",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.9, \u003c 0.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T02:03:47.094Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr"
},
{
"name": "https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16"
},
{
"name": "https://github.com/collerek/ormar/releases/tag/0.23.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/collerek/ormar/releases/tag/0.23.0"
}
],
"source": {
"advisory": "GHSA-xxh2-68g9-8jqr",
"discovery": "UNKNOWN"
},
"title": "ormar is vulnerable to SQL Injection through aggregate functions min() and max()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26198",
"datePublished": "2026-02-24T02:03:47.094Z",
"dateReserved": "2026-02-11T19:56:24.813Z",
"dateUpdated": "2026-02-24T20:35:44.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}