{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39356", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.349Z", "datePublished": "2026-04-07T19:58:46.348Z", "dateUpdated": "2026-04-08T14:33:54.466Z"}, "containers": {"cna": {"title": "SQL Injection via escapeName() in all Drizzle ORM SQL dialects", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9"}], "affected": [{"vendor": "drizzle-team", "product": "drizzle-orm", "versions": [{"version": "< 0.45.2", "status": "affected"}, {"version": ">= 1.0.0-beta.2, < 1.0.0-beta.20", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:58:46.348Z"}, "descriptions": [{"lang": "en", "value": "Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20."}], "source": {"advisory": "GHSA-gpj5-g38j-94v9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:33:41.458749Z", "id": "CVE-2026-39356", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:33:54.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "SQL Injection via escapeName() in all Drizzle ORM SQL dialects", "source": {"advisory": "GHSA-gpj5-g38j-94v9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "drizzle-team", "product": "drizzle-orm", "versions": [{"status": "affected", "version": "< 0.45.2"}, {"status": "affected", "version": ">= 1.0.0-beta.2, < 1.0.0-beta.20"}]}], "references": [{"url": "https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9", "name": "https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:58:46.348Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:33:41.458749Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-08T14:33:47.867Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-39356", "state": "PUBLISHED", "dateUpdated": "2026-04-07T19:58:46.348Z", "dateReserved": "2026-04-06T21:29:17.349Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:58:46.348Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20."}], "id": "CVE-2026-39356", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:29.610", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.45.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0-beta.2,1.0.0-beta.20)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "drizzle-orm", "source": "cna", "vendor": "drizzle-team"}, "product": "drizzle-orm", "vendor": "drizzle-team"}], "analysis": {"en": {"generated_at": "2026-04-07T22:16:18.322441+00:00", "value": {"mitigation_remediation": ["Upgrade drizzle-orm to version 0.45.2 or later, or 1.0.0-beta.20 or later if using the beta branch."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Applications built with drizzle-team/drizzle-orm versions earlier than 0.45.2 for the stable branch or earlier than 1.0.0-beta.20 for the beta branch are affected. Any API that accepts attacker-controlled identifiers, such as sql.identifier() or .as(), can be vulnerable.", "description_and_impact": "Drizzle ORM incorrectly escaped quoted SQL identifiers in its escapeName() implementations, allowing attacker-controlled input to terminate a quoted identifier and inject arbitrary SQL. This flaw directly maps to CWE-89 and can result in unintended data disclosure or modification through the manipulated SQL query.", "risk_and_exploitability": "The CVSS score of 7.5 indicates moderate to high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not be widely exploited yet. Exploitation requires passing malicious input through an interface that constructs SQL identifiers; thus the attack vector is likely via application input (e.g., web form or API endpoint). While the vulnerability can lead to significant compromise of data integrity and confidentiality, it does not provide direct remote code execution. The risk is therefore substantial for exposed applications that accept arbitrary identifier input without validation."}}}}, "created": "2026-04-08T19:34:25.384209+00:00", "updated": "2026-04-08T19:45:54.335986+00:00", "vendors": ["drizzle-team", "drizzle-team$PRODUCT$drizzle-orm"]}