SQL Injection Vulnerability in MikroORM for Node.js Products
CVE-2026-44680
7.6HIGH
What is CVE-2026-44680?
MikroORM suffers from a SQL injection vulnerability due to improper escaping of special characters in its identifier-quoting helper and JSON-path emitters. Attackers can exploit this flaw by injecting malicious strings into public ORM APIs, potentially leading to unauthorized SQL execution. This issue affects versions earlier than @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, which contain essential fixes to mitigate this risk. Application developers are advised to update immediately to secure their systems against potential exploitation.
Affected Version(s)
knex < 6.6.14
mikro-orm >= 7.0.0-rc.0, < 7.0.14 < 7.0.0-rc.0, 7.0.14
mikro-orm < 6.6.14 < 6.6.14