CVE-2026-34220 CRITICAL

CVE-2026-34220: MikroORM is vulnerable to SQL Injection via specially crafted object

Vendor Mikro-Orm

Product mikro-orm

Weakness CWE-89 · SQLi

Published March 31, 2026

Last update April 2, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.

Key dates

02Disclosure timeline

March 31, 2026 CVE published

April 2, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34220

Related vulnerabilities

Identifiers

CVE CVE-2026-34220

CWE CWE-89

CVSS 9.3 / CRITICAL

Affected versions

Vendor Mikro-Orm

Product mikro-orm

Affected < 6.6.10

Vendor Mikro-Orm

Product mikro-orm

Affected >= 7.0.0-rc.0, < 7.0.6

CVE-2026-34220: MikroORM is vulnerable to SQL Injection via specially crafted object

01Description

02Disclosure timeline

03References

04Related CVE