Platform
python
Component
ormar
Fixed in
0.9.10
0.23.0
CVE-2026-26198 describes a critical SQL Injection vulnerability discovered in Ormar ORM. This flaw allows attackers to inject malicious SQL code by manipulating column names passed to aggregate functions like min() and max(). Versions of Ormar ORM prior to 0.23.0 are affected. A patch has been released to address this issue.
The SQL Injection vulnerability in Ormar ORM poses a significant risk to applications utilizing the ORM. An attacker can exploit this vulnerability to bypass security controls and directly interact with the underlying database. Successful exploitation could lead to unauthorized data access, modification, or deletion. Depending on the database schema and application logic, an attacker might be able to escalate privileges, gain control of the application server, or even compromise the entire system. This vulnerability shares similarities with other SQL Injection flaws where improper input sanitization allows for arbitrary SQL code execution.
CVE-2026-26198 was publicly disclosed on 2026-02-23. The vulnerability's severity is rated as CRITICAL (CVSS 9.8). No public proof-of-concept (PoC) code has been publicly released as of this writing, but the ease of exploitation based on the description suggests a potential for rapid exploitation if a PoC is developed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26198 is to upgrade Ormar ORM to version 0.23.0 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing input validation and sanitization on all user-supplied data used in SQL queries. Employing parameterized queries or prepared statements can also help prevent SQL Injection attacks. Web application firewalls (WAFs) configured to detect and block SQL Injection attempts can provide an additional layer of defense. Review application code for any instances where user input is directly incorporated into SQL queries without proper validation.
Update the Ormar library to version 0.23.0 or higher. This version fixes the SQL Injection vulnerability in the min() and max() aggregate functions. The update will prevent unauthorized users from reading sensitive database information.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26198 is a critical SQL Injection vulnerability affecting Ormar ORM versions up to 0.9.9. It allows attackers to inject malicious SQL code through crafted strings in aggregate functions, potentially leading to data breaches.
You are affected if you are using Ormar ORM versions 0.9.9 or earlier. Upgrade to version 0.23.0 or later to resolve the vulnerability.
The recommended fix is to upgrade Ormar ORM to version 0.23.0 or later. As a temporary workaround, implement strict input validation and sanitization on all user-supplied data used in SQL queries.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation if a proof-of-concept is released.
Refer to the Ormar project's official repository and release notes for the advisory and details on the fix: [https://github.com/Ormar/ormar](https://github.com/Ormar/ormar)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.