Description
Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks.
Recommendation
Update the drizzle-orm package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.0.0-beta.2, < 1.0.0-beta.20 < 0.45.2** Patched version(s): **1.0.0-beta.20 0.45.2**
References
Related Issues
- Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that - CVE-2026-33468
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- @payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters - CVE-2026-25544
You might also like:
- Tags:
- npm
- drizzle-orm
Anything's wrong? Let us know Last updated on April 08, 2026


