ORMar Vulnerability: Critical SQL Injection via Aggregate Functions

The Ormar ORM's min() and max() functions accept user-provided column names without validation, leading to SQL injection. This allows attackers to inject malicious queries, potentially accessing any database content. The vulnerability stems from the absence of input sanitization in get_text_clause(). Affected versions include multiple releases since 2021. Detection involves monitoring for unusual SQL patterns; mitigation requires updating Ormar or applying patches. Exploitability is high due to the critical nature and potential impact.