{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39356/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-39356"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","drizzle-orm","cve-2026-39356","typescript","orm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDrizzle ORM, a TypeScript ORM, contains a SQL injection vulnerability (CVE-2026-39356) in versions prior to 0.45.2 and 1.0.0-beta.20. The vulnerability stems from improper escaping of quoted SQL identifiers within the \u003ccode\u003eescapeName()\u003c/code\u003e implementations. Specifically, embedded identifier delimiters were not properly escaped before being enclosed in quotes or backticks. This allows attackers to inject arbitrary SQL code by manipulating input passed to APIs like \u003ccode\u003esql.identifier()\u003c/code\u003e or \u003ccode\u003e.as()\u003c/code\u003e which are used to construct SQL identifiers or aliases. Successful exploitation could lead to unauthorized data access, modification, or other database manipulation. Organizations using affected versions of Drizzle ORM are at risk. This issue is resolved in versions 0.45.2 and 1.0.0-beta.20.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an application using a vulnerable version of Drizzle ORM (prior to 0.45.2 or 1.0.0-beta.20).\u003c/li\u003e\n\u003cli\u003eAttacker locates input fields or API endpoints that utilize \u003ccode\u003esql.identifier()\u003c/code\u003e or \u003ccode\u003e.as()\u003c/code\u003e to construct SQL queries.\u003c/li\u003e\n\u003cli\u003eAttacker crafts malicious input containing embedded identifier delimiters (e.g., quotes or backticks) and SQL code.\u003c/li\u003e\n\u003cli\u003eThe application passes the attacker-controlled input to \u003ccode\u003esql.identifier()\u003c/code\u003e or \u003ccode\u003e.as()\u003c/code\u003e without proper sanitization.\u003c/li\u003e\n\u003cli\u003eDrizzle ORM\u0026rsquo;s vulnerable \u003ccode\u003eescapeName()\u003c/code\u003e function fails to properly escape the malicious delimiters.\u003c/li\u003e\n\u003cli\u003eThe crafted SQL identifier is incorporated into a larger SQL query.\u003c/li\u003e\n\u003cli\u003eThe application executes the compromised SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code executes, allowing the attacker to perform unauthorized actions such as data exfiltration or modification.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39356 allows attackers to inject arbitrary SQL queries into the application\u0026rsquo;s database interactions. This can lead to sensitive data exposure, unauthorized data modification or deletion, and potentially full database compromise. The severity of the impact depends on the application\u0026rsquo;s database permissions and the sensitivity of the data stored within. Organizations in all sectors utilizing vulnerable Drizzle ORM versions are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Drizzle ORM to version 0.45.2 or 1.0.0-beta.20 to remediate CVE-2026-39356.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization on all user-supplied input that is used in SQL queries, even after upgrading Drizzle ORM.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Drizzle ORM SQL Injection Attempt\u0026rdquo; to identify exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious patterns in HTTP requests indicative of SQL injection attempts (cs-uri-query, cs-uri-stem log fields).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:00:00Z","date_published":"2026-04-08T12:00:00Z","id":"/briefs/2026-04-drizzle-sql-injection/","summary":"Drizzle ORM versions before 0.45.2 and 1.0.0-beta.20 are vulnerable to SQL injection due to improper escaping of SQL identifiers, allowing attackers to inject malicious SQL code through manipulated input leading to potential data breaches.","title":"Drizzle ORM SQL Injection Vulnerability (CVE-2026-39356)","url":"https://feed.craftedsignal.io/briefs/2026-04-drizzle-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-39356","version":"https://jsonfeed.org/version/1.1"}