CVE-2026-26198 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: February 24, 2026
Ormar - SQL Injection
Overview
Ormar 0.9.9 through 0.22.0 contains a SQL injection caused by unsanitized user input passed to sqlalchemy.text() in aggregate queries, letting unauthorized attackers read entire database contents via subquery injection, exploit requires crafted aggregate function parameters.
Severity & Score
Impact
Unauthorized attackers can read entire database contents, including unrelated tables, leading to full information disclosure.
Mitigation
Update to version 0.23.0 or later.
References
Social Media Activity(2 posts)
š”ļø CVE-2026-26198: CRITICAL SQLi in Ormar Python ORM (0.9.9 ā 0.22.0). min() & max() allow injection ā no auth needed! Patch with v0.23.0+. Audit & monitor now. Details: https://radar.offseq.com/threat/cve-2026-26198-cwe-89-improper-neutralization-of-s-7460e41f #OffSeq #SQLInjection #Python
View original post
š“ CVE-2026-26198 - Critical (9.8) Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanit... š https://www.thehackerwire.com/vulnerability/CVE-2026-26198/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postGitHub Repositories(1 repo)
Related Resources
Details
- CVE ID
- CVE-2026-26198
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- sql_injection
- Status
- unconfirmed
- EPSS
- 4.5%
- Social Posts
- 2
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H