Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/drizzle-orm@0.28.5

Type npm

Namespace

Name drizzle-orm

Version 0.28.5

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.45.2

Latest_non_vulnerable_version 1.0.0-beta.20

Affected_by_vulnerabilities

url VCID-1q49-s2yy-4fd3

vulnerability_id VCID-1q49-s2yy-4fd3

summary Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-39356

reference_id

reference_type

scores

value	0.00017
scoring_system	epss
scoring_elements	0.04498
published_at	2026-06-11T12:55:00Z

value	0.00017
scoring_system	epss
scoring_elements	0.04484
published_at	2026-06-13T12:55:00Z

value	0.00017
scoring_system	epss
scoring_elements	0.045
published_at	2026-06-12T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.04934
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-39356

reference_url

https://github.com/drizzle-team/drizzle-orm

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drizzle-team/drizzle-orm

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-39356

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-39356

reference_url

https://github.com/advisories/GHSA-gpj5-g38j-94v9

reference_id

GHSA-gpj5-g38j-94v9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gpj5-g38j-94v9

reference_url

https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9

reference_id

GHSA-gpj5-g38j-94v9

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:33:41Z/

url

https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9

fixed_packages

url	pkg:npm/drizzle-orm@0.45.2
purl	pkg:npm/drizzle-orm@0.45.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/drizzle-orm@0.45.2

url	pkg:npm/drizzle-orm@1.0.0-beta.20
purl	pkg:npm/drizzle-orm@1.0.0-beta.20
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/drizzle-orm@1.0.0-beta.20

aliases CVE-2026-39356, GHSA-gpj5-g38j-94v9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1q49-s2yy-4fd3

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/drizzle-orm@0.28.5

Package Instance