Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-cfw5-68c4-ffqp | MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys |
Wed, 27 May 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Mikro-orm
Mikro-orm knex Mikro-orm mikro-orm Mikro-orm sql |
|
| Vendors & Products |
Mikro-orm
Mikro-orm knex Mikro-orm mikro-orm Mikro-orm sql |
Tue, 26 May 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 26 May 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14. | |
| Title | MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys | |
| Weaknesses | CWE-89 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-26T17:40:52.485Z
Reserved: 2026-05-07T16:20:08.660Z
Link: CVE-2026-44680
Updated: 2026-05-26T17:40:39.560Z
Status : Deferred
Published: 2026-05-26T17:16:46.540
Modified: 2026-06-17T10:51:13.920
Link: CVE-2026-44680
No data.
OpenCVE Enrichment
Updated: 2026-05-27T10:09:09Z
Github GHSA