CVE-2026-34220

CRITICAL

MikroORM is vulnerable to SQL Injection via specially crafted object

Title source: cna

Description

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.

Exploits (1)

nomisec STUB
by EQSTLab · poc
https://github.com/EQSTLab/CVE-2026-34220

References (1)

Scores

CVSS v3 9.8
EPSS 0.0001
EPSS Percentile 2.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (4)
mikro-orm/core 0 - 6.6.10npm
mikro-orm/mikro-orm < 6.6.10
mikro-orm/mikro-orm >= 7.0.0-rc.0, < 7.0.6
mikro-orm/mikroorm < 6.6.10
Published Mar 31, 2026
Tracked Since Mar 31, 2026