{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34220", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.324Z", "datePublished": "2026-03-31T15:19:08.520Z", "dateUpdated": "2026-04-02T15:19:12.949Z"}, "containers": {"cna": {"title": "MikroORM is vulnerable to SQL Injection via specially crafted object", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm"}], "affected": [{"vendor": "mikro-orm", "product": "mikro-orm", "versions": [{"version": "< 6.6.10", "status": "affected"}, {"version": ">= 7.0.0-rc.0, < 7.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:19:08.520Z"}, "descriptions": [{"lang": "en", "value": "MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6."}], "source": {"advisory": "GHSA-gwhv-j974-6fxm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:18:51.645691Z", "id": "CVE-2026-34220", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:19:12.949Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34220", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T15:18:51.645691Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:19:06.315Z"}}], "cna": {"title": "MikroORM is vulnerable to SQL Injection via specially crafted object", "source": {"advisory": "GHSA-gwhv-j974-6fxm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mikro-orm", "product": "mikro-orm", "versions": [{"status": "affected", "version": "< 6.6.10"}, {"status": "affected", "version": ">= 7.0.0-rc.0, < 7.0.6"}]}], "references": [{"url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm", "name": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:19:08.520Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34220", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:19:12.949Z", "dateReserved": "2026-03-26T15:57:52.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T15:19:08.520Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0FEF8C0C-0A0A-4580-B601-D588C9E81FB2", "versionEndExcluding": "6.6.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BC38F0C3-2043-4A5D-9FFF-CA1F7E295BD3", "versionEndExcluding": "7.0.6", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6."}], "id": "CVE-2026-34220", "lastModified": "2026-04-03T15:16:45.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T16:16:32.127", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.6.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0-rc.0,7.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mikro-orm", "source": "cna", "vendor": "mikro-orm"}, "product": "mikro-orm", "vendor": "mikro-orm"}], "analysis": {"en": {"generated_at": "2026-04-03T17:51:55.913767+00:00", "value": {"mitigation_remediation": ["Upgrade MikroORM to version 6.6.10 or later for the 6.x series and to 7.0.6 or later for the 7.x series.", "Verify that all deployments reference the patched versions and that no legacy code paths still construct queries from raw objects.", "Review application code to ensure that only parameterized query builders or safe abstractions are used when interacting with the ORM, and refactor any custom query logic accordingly.", "Monitor database logs for unexpected or malformed SQL statements that might indicate an attempted exploitation."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection allowing arbitrary database queries"}, "threat_synthesis": {"affected_systems": "The vulnerability affects MikroORM versions earlier than 6.6.10 in the 6.x line and earlier than 7.0.6 in the 7.x line. Any Node.js application that imports the vulnerable library and uses its query construction methods is susceptible, regardless of the backend database.", "description_and_impact": "A specially crafted object can be interpreted by MikroORM as a raw SQL fragment, creating a classic SQL injection flaw (CWE\u201189). If an attacker can supply such an object to the ORM layer, they could execute arbitrary SQL against the connected database, causing data theft, modification, or deletion. The flaw exists prior to version 6.6.10 of the 6.x series and 7.0.6 of the 7.x series.", "risk_and_exploitability": "The CVSS score of 9.3 signals a high\u2011severity flaw with ease of exploitation, yet the EPSS score is reported as less than 1%, suggesting that public exploitation is uncommon at the moment. The issue is not listed in CISA\u2019s KEV catalog. While the precise attack vector is not detailed in the CVE, it can be reasonably inferred that an attacker would need to deliver the malicious object through application input that is later passed to MikroORM\u2019s query methods. Further information on authentication requirements is not available from the CVE description."}}}}, "created": "2026-03-31T19:54:10.779170+00:00", "updated": "2026-04-03T21:17:38.273928+00:00", "vendors": ["mikro-orm", "mikro-orm$PRODUCT$mikro-orm"]}