SQL Injection Vulnerability in colinhacks Zod's CUID Data Type Handler
CVE-2026-6991

5.3MEDIUM

Key Information:

Vendor: Colinhacks
Status: Zod
Vendor: CVE Published:; 25 April 2026

What is CVE-2026-6991?

A vulnerability has been discovered in the colinhacks Zod library, specifically affecting versions up to 4.3.6. This flaw resides within an ambiguous function located in 'packages/zod/src/v4/core/regexes.ts', which is part of the CUID Data Type Handler. By manipulating inputs, an attacker could execute SQL injection attacks remotely, potentially compromising the security of affected applications. Despite early notification to the vendor regarding this issue, there has been no response or mitigation efforts reported.

Affected Version(s)

Zod 4.3.0

Zod 4.3.1

Zod 4.3.2

References

https://vuldb.com/vuln/359543

vdb-entry

https://vuldb.com/vuln/359543/cti

signaturepermissions-required

https://vuldb.com/submit/796749

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2026
Vulnerability Reserved
Apr 24, 2026

Credit

dsonbacker (VulDB User)

VulDB CNA Team

CVE-2026-6991 Data

JSON