CVE-2026-44680
Description
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@mikro-orm/sqlnpm | < 7.0.14 | 7.0.14 |
@mikro-orm/knexnpm | < 6.6.14 | 6.6.14 |
Affected products
3- ghsa-coords2 versions
< 6.6.14+ 1 more
- (no CPE)range: < 6.6.14
- (no CPE)range: < 7.0.14
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-cfw5-68c4-ffqpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44680ghsaADVISORY
- github.com/mikro-orm/mikro-orm/pull/7653nvdWEB
- github.com/mikro-orm/mikro-orm/pull/7654nvdWEB
- github.com/mikro-orm/mikro-orm/pull/7656nvdWEB
- github.com/mikro-orm/mikro-orm/pull/7657nvdWEB
- github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqpnvdWEB
News mentions
0No linked articles in our index yet.