CVE-2026-26198

CRITICAL

Ormar 0.9.9-0.22.0 - SQL Injection via Unsanitized Column Names in Aggregate Queries

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-26198. PoCs published by NetVanguard-cmd, sergicortesabadia, blackhatlegend.

AI-analyzed exploit summary The repository contains only a README.md file with minimal content (just the CVE ID), providing no exploit code, technical details, or functional proof-of-concept. It appears to be a placeholder or incomplete submission.

Description

Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.

Exploits (3)

nomisec STUB
by NetVanguard-cmd · poc
https://github.com/NetVanguard-cmd/CVE-2026-26198

The repository contains only a README.md file with minimal content (just the CVE ID), providing no exploit code, technical details, or functional proof-of-concept. It appears to be a placeholder or incomplete submission.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Apr 19, 2026 Full analysis →
nomisec WORKING POC
by sergicortesabadia · poc
https://github.com/sergicortesabadia/CVE-2026-26198-analysis

This repository contains a functional exploit PoC for CVE-2026-26198, demonstrating SQL injection in Ormar ORM via unvalidated `min()` and `max()` methods. It includes a vulnerable app, exploit demo, patched version, and detailed analysis.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Ormar ORM versions 0.9.9 through 0.22.0
No auth needed
Prerequisites: Ormar ORM version 0.9.9 to 0.22.0 · Python environment
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec SUSPICIOUS
by blackhatlegend · poc
https://github.com/blackhatlegend/CVE-2026-26198

The repository claims to exploit CVE-2026-26198, an SQL injection vulnerability in Ormar ORM, but provides no actual exploit code. Instead, it directs users to an external download link (tinyurl.com), which is a common tactic for distributing malware or fake exploits.

Classification
Suspicious 95%
Attack Type
Sqli
Complexity
Theoretical
Reliability
Theoretical
Target: Ormar ORM versions 0.9.9 through 0.22.0
No auth needed
Prerequisites: Python 3.9 · access to the target system
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0002
EPSS Percentile 7.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
collerek/ormar 0.9.9 - 0.23.0
pypi/ormar 0.9.9 - 0.23.0PyPI
Published Feb 24, 2026
Tracked Since Feb 24, 2026