SCA: security update for ormar (GHSA-xxh2-68g9-8jqr)

high Tenable Self-Hosted Container Security Plugin ID 437936

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries,
Ormar ORM constructs SQL expressions by passing user-supplied column names directly into
`sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the
`QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are
partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()`
skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside
the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire
database contents, including tables unrelated to the queried model, by injecting a subquery as the column
parameter. Version 0.23.0 contains a patch. (CVE-2026-26198)

See Also

https://github.com/advisories/GHSA-xxh2-68g9-8jqr

Plugin Details

Severity: High

ID: 437936

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 2/24/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-26198

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/23/2026

Vulnerability Publication Date: 2/23/2026

Reference Information

CVE: CVE-2026-26198

cwe: CWE-89