Description
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.
Published: 2026-03-31
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: SQL injection
Action: Patch
AI Analysis

Impact

MikroORM is a TypeScript ORM for Node.js that allows specially crafted objects to be interpreted as raw SQL query fragments. This flaw permits attackers to inject arbitrary SQL commands, potentially leading to data compromise or unauthorized data modification, as the application may execute the injected fragments against the underlying database.

Affected Systems

The vulnerability affects MikroORM versions earlier than 6.6.10 in the 6.x release line and earlier than 7.0.6 in the 7.x release line. Any deployment using these older releases is at risk.

Risk and Exploitability

With a CVSS base score of 9.3 the issue is critically severe. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to provide a crafted object that the ORM processes as a SQL fragment, which could occur through web interfaces or APIs that accept arbitrary input.

Generated by OpenCVE AI on March 31, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MikroORM to version 6.6.10 or later in the 6.x series, or to version 7.0.6 or later in the 7.x series.

Generated by OpenCVE AI on March 31, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gwhv-j974-6fxm MikroORM is vulnerable to SQL Injection via specially crafted object
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Mikro-orm
Mikro-orm mikro-orm
Vendors & Products Mikro-orm
Mikro-orm mikro-orm

Tue, 31 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.
Title MikroORM is vulnerable to SQL Injection via specially crafted object
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mikro-orm Mikro-orm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T15:19:08.520Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34220

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T16:16:32.127

Modified: 2026-03-31T16:16:32.127

Link: CVE-2026-34220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:06Z

Weaknesses