Description
A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

A vulnerability in the consumer data type handler of the Zod library can lead to SQL injection when an attacker manipulates input to the regex function. The flaw originates from improper neutralization of input characters (CWE‑74) and is equivalent to a classic SQL injection attack (CWE‑89). If exploited, an attacker could execute arbitrary queries against an underlying database, potentially exposing confidential data or modifying it, resulting in confidentiality and integrity loss for the affected application.

Affected Systems

Any installation of colinhacks Zod version 4.3.6 or earlier is susceptible. The vulnerability involves the CUID data type handler located in packages/zod/src/v4/core/regexes.ts and therefore applies to all projects that import and use that data type or its validation function.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate impact. The EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The flaw can be triggered remotely with crafted input; however, the vendor has not published a patch or workaround. Because the weakness is not listed in CISA’s KEV catalog, there is no evidence of operational exploitation as of the last update, but organizations should anticipate that the public disclosure could lead to future attacks.

Generated by OpenCVE AI on April 28, 2026 at 05:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zod to the latest version where the CUID regex handling bug is fixed, if such a release is available.
  • If an upgrade is not immediately possible, disable or remove usage of the CUID data type in the application so the vulnerable code path is not exercised.
  • Implement strict input validation or parameterize all database queries that interact with user-provided data to mitigate the impact of a potential SQL injection.

Generated by OpenCVE AI on April 28, 2026 at 05:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title colinhacks Zod CUID Data Type regexes.ts sql injection
First Time appeared Zod
Zod zod
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:zod:zod:*:*:*:*:*:*:*:*
Vendors & Products Zod
Zod zod
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Zod Zod
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:30:16.287Z

Reserved: 2026-04-24T19:38:03.317Z

Link: CVE-2026-6991

cve-icon Vulnrichment

Updated: 2026-04-27T13:30:04.985Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T18:16:19.240

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:45:23Z

Weaknesses