CVE-2026-34220
published 2026-03-31CVE-2026-34220: MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.43%
34.1th percentile
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mikro-orm | core | >= 0 < 6.6.10 | 6.6.10 |
| mikro-orm | core | >= 7.0.0-dev.0 < 7.0.6 | 7.0.6 |
| mikro-orm | mikro-orm | < 6.6.10 | 6.6.10 |
| mikro-orm | mikro-orm | — | — |
| mikro-orm | mikroorm | < 6.6.10 | 6.6.10 |
| mikro-orm | mikroorm | >= 7.0.0 < 7.0.6 | 7.0.6 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MikroORM is vulnerable to SQL Injection via specially crafted object
ghsa·2026-03-29
CVE-2026-34220 [CRITICAL] CWE-89 MikroORM is vulnerable to SQL Injection via specially crafted object
MikroORM is vulnerable to SQL Injection via specially crafted object
## Summary
MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.
## Impact
If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.
## Affected usage
The issue occurs when untrusted objects are passed to ORM write APIs such as:
- `wrap(entity).assign(userInput)` followed by `em.flush()`
- `em.nativeUpdate()`
- `em.nativeInsert()`
- `em.create()` followed by `em.flush()`
Applications that validate input types or enforce strict schema validation before passing data to MikroORM a
OSV
MikroORM is vulnerable to SQL Injection via specially crafted object
osv·2026-03-29
CVE-2026-34220 [CRITICAL] MikroORM is vulnerable to SQL Injection via specially crafted object
MikroORM is vulnerable to SQL Injection via specially crafted object
## Summary
MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.
## Impact
If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.
## Affected usage
The issue occurs when untrusted objects are passed to ORM write APIs such as:
- `wrap(entity).assign(userInput)` followed by `em.flush()`
- `em.nativeUpdate()`
- `em.nativeInsert()`
- `em.create()` followed by `em.flush()`
Applications that validate input types or enforce strict schema validation before passing data to MikroORM a
No detection rules found.
No public exploits indexed.
2026-03-31
Published