CVE-2026-39356

Published: Apr 7, 2026Modified: Apr 15, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.

Affected (19)

Products: Drizzle: Drizzle

Drizzle

1 product

Drizzle

Configuration A

19 vulnerable

Vulnerable Software	Affected Versions
Drizzle Drizzle	Before 0.45.2
Drizzle Drizzle	Version 1.0.0 beta11
Drizzle Drizzle	Version 1.0.0 beta12
Drizzle Drizzle	Version 1.0.0 beta13
Drizzle Drizzle	Version 1.0.0 beta14
Drizzle Drizzle	Version 1.0.0 beta15
Drizzle Drizzle	Version 1.0.0 beta16
Drizzle Drizzle	Version 1.0.0 beta17
Drizzle Drizzle	Version 1.0.0 beta18
Drizzle Drizzle	Version 1.0.0 beta19
Drizzle Drizzle	Version 1.0.0 beta1
Drizzle Drizzle	Version 1.0.0 beta2
Drizzle Drizzle	Version 1.0.0 beta3
Drizzle Drizzle	Version 1.0.0 beta4
Drizzle Drizzle	Version 1.0.0 beta5
Drizzle Drizzle	Version 1.0.0 beta6
Drizzle Drizzle	Version 1.0.0 beta7
Drizzle Drizzle	Version 1.0.0 beta8
Drizzle Drizzle	Version 1.0.0 beta9

Related CWEs

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (1)

https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.