Security Advisories (1)
CVE-2026-13766 (2026-06-30)

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.

NAME

DBIx::QuickORM::STH::Aside - Async statement handle run on an aside connection.

DESCRIPTION

A DBIx::QuickORM::STH::Async variant whose query runs on a separate "aside" connection rather than the primary one. It behaves exactly like the async handle except that finalizing it releases the aside connection back to the owning connection.

SYNOPSIS

while (my $row_hr = $sth->next) { ... }

PUBLIC METHODS

$sth->clear

Release the aside connection back to the owning connection.

SOURCE

The source code repository for DBIx::QuickORM can be found at https://github.com/exodist/DBIx-QuickORM.

MAINTAINERS

Chad Granum <exodist@cpan.org>

AUTHORS

Chad Granum <exodist@cpan.org>

COPYRIGHT

Copyright Chad Granum <exodist7@gmail.com>.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

See https://dev.perl.org/licenses/