{"url":"http://public2.vulnerablecode.io/api/packages/971880?format=json","purl":"pkg:pypi/ormar@0.5.3","type":"pypi","namespace":"","name":"ormar","version":"0.5.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.23.1","latest_non_vulnerable_version":"0.23.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80145?format=json","vulnerability_id":"VCID-qpq1-tz8e-h7hg","summary":"ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting \"__pk_only__\": true into a JSON request body. By injecting \"__pk_only__\": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27953","reference_id":"","reference_type":"","scores":[{"value":"0.00489","scoring_system":"epss","scoring_elements":"0.65949","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00489","scoring_system":"epss","scoring_elements":"0.66045","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27953"},{"reference_url":"https://github.com/ormar-orm/ormar","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ormar-orm/ormar"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27953","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27953"},{"reference_url":"https://github.com/ormar-orm/ormar/releases/tag/0.23.1","reference_id":"0.23.1","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/releases/tag/0.23.1"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131494","reference_id":"1131494","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131494"},{"reference_url":"https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3","reference_id":"7f22aa21a7614b993970345b392dabb0ccde0ab3","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55","reference_id":"fastapi_quick_start.py#L55","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41","reference_id":"foreign_key.py#L41","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41"},{"reference_url":"https://github.com/advisories/GHSA-f964-whrq-44h8","reference_id":"GHSA-f964-whrq-44h8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f964-whrq-44h8"},{"reference_url":"https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8","reference_id":"GHSA-f964-whrq-44h8","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89","reference_id":"model.py#L89","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128","reference_id":"newbasemodel.py#L128","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292","reference_id":"newbasemodel.py#L292","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292"},{"reference_url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108","reference_id":"pydantic.py#L108","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:04:35Z/"}],"url":"https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375250?format=json","purl":"pkg:pypi/ormar@0.23.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ormar@0.23.1"}],"aliases":["CVE-2026-27953","GHSA-f964-whrq-44h8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qpq1-tz8e-h7hg"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ormar@0.5.3"}