📄 MikroORM 7.0.13 SQL Injection

MikroORM version 7.0.13 suffers from a remote SQL injection vulnerability. Exploit Title: MikroORM 7.0.13 - SQL Injection Google Dork: N/A Date: 2026-05-27 Exploit Author: cardosource Vendor Homepage: https://mikro-orm.io/ Software Link: https://github.com/mikro-orm/mikro-orm Version:...

CVE-2026-44680

MikroORM is vulnerable to SQL injection via runtime-controlled identifiers and JSON-path keys. The root cause is improper escaping in the identifier-quoting helper (Platform.quoteIdentifier and PostgreSQL/MSSQL overrides) and in JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey)...

@acmekit/acmekit-oas-cli (>=2.13.1 <=2.13.94), @acmekit/cli (>=2.13.1 <=2.13.94) +142 more potentially affected by CVE-2026-44680 via @mikro-orm/knex (>=6.0.0-dev.110 <=6.6.14-dev.3)

@mikro-orm/knex NPM version =6.0.0-dev.110, =2.13.1, =2.13.1, =2.13.1, =2.13.1, =2.13.1, =2.13.1, =2.13.1, =2.13.1, =0.0.1, =0.5.0, =0.1.29, =0.6.8 and more Source cves: CVE-2026-44680 Source advisory: SNYK:JS-MIKROORMKNEX-16624725...

@mikro-orm/entity-generator (>=7.0.0 <=7.0.14-dev.14), @mikro-orm/libsql (>=7.0.0 <=7.0.14-dev.14) +9 more potentially affected by CVE-2026-44680 via @mikro-orm/sql (>=7.0.0-dev.100 <=7.0.14-dev.9)

@mikro-orm/sql NPM version =7.0.0-dev.100, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.14-dev.14 - @reldens/cms =0.61.0 - @reldens/storage =0.93.0 Source cves: CVE-2026-44680 Source advisory: SNYK:JS-MIKROORMSQL-16624726...