Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| drizzle-team | drizzle-orm | affected |
|
Configuration 1 [-]
|
No data.
| Vendor | Product | Confidence | Versions | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Drizzle-team | Drizzle-orm | 100% |
|
Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-gpj5-g38j-94v9 | Drizzle ORM has SQL injection via improperly escaped SQL identifiers |
Wed, 15 Apr 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Drizzle
Drizzle drizzle |
|
| CPEs | cpe:2.3:a:drizzle:drizzle:*:*:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta11:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta12:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta13:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta14:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta15:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta16:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta17:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta18:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta19:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta1:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta2:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta3:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta4:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta5:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta6:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta7:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta8:*:*:*:node.js:*:* cpe:2.3:a:drizzle:drizzle:1.0.0:beta9:*:*:*:node.js:*:* |
|
| Vendors & Products |
Drizzle
Drizzle drizzle |
Wed, 08 Apr 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Drizzle-team
Drizzle-team drizzle-orm |
|
| Vendors & Products |
Drizzle-team
Drizzle-team drizzle-orm |
Wed, 08 Apr 2026 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 07 Apr 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20. | |
| Title | SQL Injection via escapeName() in all Drizzle ORM SQL dialects | |
| Weaknesses | CWE-89 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-04-08T14:33:54.466Z
Reserved: 2026-04-06T21:29:17.349Z
Link: CVE-2026-39356
Vulnrichment
Updated: 2026-04-08T14:33:47.867Z
NVD
Status : Analyzed
Published: 2026-04-07T20:16:29.610
Modified: 2026-04-15T17:19:47.367
Link: CVE-2026-39356
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-04-08T19:45:54Z