CVE-2026-34220

CRITICAL

MikroORM is vulnerable to SQL Injection via specially crafted object

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-34220. PoCs published by EQSTLab.

AI-analyzed exploit summary The repository contains only a README.md file with minimal content (just the CVE identifier) and no exploit code, technical details, or additional context. It appears to be a placeholder or stub repository.

Description

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.

Exploits (1)

nomisec STUB

by EQSTLab · poc

https://github.com/EQSTLab/CVE-2026-34220

View Code ZIP pw:eip

The repository contains only a README.md file with minimal content (just the CVE identifier) and no exploit code, technical details, or additional context. It appears to be a placeholder or stub repository.

Classification

Stub 100%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 16, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm

Scores

CVSS v3 9.8

EPSS 0.0001

EPSS Percentile 3.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (4)

mikro-orm/core 0 - 6.6.10npm

mikro-orm/mikro-orm < 6.6.10

mikro-orm/mikro-orm >= 7.0.0-rc.0, < 7.0.6

mikro-orm/mikroorm < 6.6.10

Published Mar 31, 2026

Tracked Since Mar 31, 2026