VYPR

PyPI package

ormar

pkg:pypi/ormar

Vulnerabilities (2)

  • CVE-2026-27953Mar 19, 2026
    affected < 0.23.1fixed 0.23.1

    ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk

  • CVE-2026-26198Feb 24, 2026
    affected >= 0.9.9, < 0.23.0fixed 0.23.0

    Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()`