7 matches found
K000161154: Sequelize vulnerability CVE-2026-30951
Security Advisory Description Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST... AS SQL. An...
@142vip/egg (>=0.0.1-alpha.1 <=0.0.1-alpha.6), @142vip/egg-axios (>=0.0.1-alpha.1 <=0.0.1-alpha.2) +302 more potentially affected by CVE-2026-30951 via sequelize (>=6.0.0-beta.4 <=6.37.7)
sequelize NPM version =6.0.0-beta.4, =0.0.1-alpha.1, =0.0.1-alpha.1, =0.0.1-alpha.2, =0.0.1-alpha.2, =0.0.1-alpha.2, =1.2.3, =1.0.0, =15.0.0, =1.0.0, =0.18.0, =5.0.0-alpha.3, =13.5.0, =1.0.70, =1.0.155 and more Source cves: CVE-2026-30951 Source advisory: SNYK:JS-SEQUELIZE-15456219...
@142vip/egg (>=0.0.1-alpha.1 <=0.0.1-alpha.6), @142vip/egg-axios (>=0.0.1-alpha.1 <=0.0.1-alpha.2) +302 more potentially affected by CVE-2026-30951 via sequelize (>=6.0.0-beta.4 <=6.37.7)
sequelize NPM version =6.0.0-beta.4, =0.0.1-alpha.1, =0.0.1-alpha.1, =0.0.1-alpha.2, =0.0.1-alpha.2, =0.0.1-alpha.2, =1.2.3, =1.0.0, =15.0.0, =1.0.0, =0.18.0, =5.0.0-alpha.3, =13.5.0, =1.0.70, =1.0.155 and more Source cves: CVE-2026-30951 Source advisory: OSV:GHSA-6457-6JRX-69CR...
Linux Distros Unpatched Vulnerability : CVE-2026-30951
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON functio...
CVE-2026-30951
A flaw was found in Sequelize, a Node.js Object-Relational Mapper ORM tool. A remote attacker can exploit a SQL injection vulnerability by manipulating JSON object keys during JSON/JSONB where clause processing. This allows for the injection of arbitrary SQL commands due to the improper handling ...
CVE-2026-30951
Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST... AS SQL. An attacker who controls JSON object...
CVE-2026-30951
creationtimestamp| type| source ---|---|--- 2026-03-09 21:42:50+00:00| published-proof-of-concept| https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr 2026-03-18 20:20:08+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mhecqtuljb2h 2026-04-05 18:00:04+00:00|...