CVE-2026-39356
SQL Injection via escapeName() in all Drizzle ORM SQL dialects
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
9th
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.
| CWE | CWE-89 |
| Vendor | drizzle-team |
| Product | drizzle-orm |
| Published | Apr 7, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for drizzle-team drizzle-orm
Be the first to know when new high vulnerabilities affecting drizzle-team drizzle-orm are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
drizzle-team / drizzle-orm
< 0.45.2 >= 1.0.0-beta.2, < 1.0.0-beta.20