K000161154: Sequelize vulnerability CVE-2026-30951

Security Advisory Description Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST... AS SQL. An...

📄 Sequelize 6.37.7 SQL Injection

A remote SQL injection vulnerability exists Sequelize versions 6.37.7 and below in the JSON/JSONB where clause processing. When Sequelize parses a JSON path key containing ::, the value after :: is treated as a SQL cast type and is inserted into the generated SQL without proper validation. If an...

@142vip/egg (>=0.0.1-alpha.1 <=0.0.1-alpha.6), @142vip/egg-axios (>=0.0.1-alpha.1 <=0.0.1-alpha.2) +302 more potentially affected by CVE-2026-30951 via sequelize (>=6.0.0-beta.4 <=6.37.7)

sequelize NPM version =6.0.0-beta.4, =0.0.1-alpha.1, =0.0.1-alpha.1, =0.0.1-alpha.2, =0.0.1-alpha.2, =0.0.1-alpha.2, =1.2.3, =1.0.0, =15.0.0, =1.0.0, =0.18.0, =5.0.0-alpha.3, =13.5.0, =1.0.70, =1.0.155 and more Source cves: CVE-2026-30951 Source advisory: SNYK:JS-SEQUELIZE-15456219...

@142vip/egg (>=0.0.1-alpha.1 <=0.0.1-alpha.6), @142vip/egg-axios (>=0.0.1-alpha.1 <=0.0.1-alpha.2) +302 more potentially affected by CVE-2026-30951 via sequelize (>=6.0.0-beta.4 <=6.37.7)

sequelize NPM version =6.0.0-beta.4, =0.0.1-alpha.1, =0.0.1-alpha.1, =0.0.1-alpha.2, =0.0.1-alpha.2, =0.0.1-alpha.2, =1.2.3, =1.0.0, =15.0.0, =1.0.0, =0.18.0, =5.0.0-alpha.3, =13.5.0, =1.0.70, =1.0.155 and more Source cves: CVE-2026-30951 Source advisory: OSV:GHSA-6457-6JRX-69CR...

Linux Distros Unpatched Vulnerability : CVE-2026-30951

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON functio...

CVE-2026-30951 Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST... AS SQL. An attacker who controls JSON object...

CVE-2026-30951 Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST... AS SQL. An attacker who controls JSON object...

EUVD-2019-0268

Malware in sbrugna...

EUVD-2019-0753

Malware in sbrugna...

CVE-2023-22578

Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections...

@galenjs/framework-next (>=1.0.0 <=1.7.0), @galenjs/models (>=1.1.11 <=1.7.0) +4 more potentially affected by CVE-2023-22578 via @sequelize/core (=7.0.0-alpha.10)

@sequelize/core NPM version =7.0.0-alpha.10 is affected by a known vulnerability. The following packages have a transitive dependency on @sequelize/core and may be impacted: - @galenjs/framework-next =1.0.0, =1.1.11, =0.0.2, =0.0.2, =0.0.30, =0.1.0, =0.1.1 Source cves: CVE-2023-22578 Source...

12g (=0.0.27), 1st-project (=1.0.2) +2911 more potentially affected by CVE-2023-22578 via sequelize (>=1.0.2 <=6.28.2)

sequelize NPM version =1.0.2, =0.0.1, =0.0.2, =0.0.1, =1.2.3, =1.0.0, =0.5.0, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =1.0.0, =2.0.1 - @aapokiiso/hsl-congestion-route-pattern-repository =1.0.0 and more Source cves: CVE-2023-22578 Source advisory: OSV:GHSA-F598-MFPV-GMFX...

12g (=0.0.27), 1st-project (=1.0.2) +2909 more potentially affected by CVE-2023-22579 via sequelize (>=1.0.2 <=6.28.0)

sequelize NPM version =1.0.2, =0.0.1, =0.0.2, =0.0.1, =1.2.3, =1.0.0, =0.5.0, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =1.0.0, =2.0.1 - @aapokiiso/hsl-congestion-route-pattern-repository =1.0.0 and more Source cves: CVE-2023-22579 Source advisory: OSV:GHSA-VQFX-GJ96-3W95...

GHSA-VQFX-GJ96-3W95 Unsafe fall-through in getWhereConditions

Impact Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error. A finder call like the following did not throw an error: ts User.findAll where: new Date, ; As this option is typically used with plain javascript objects, be awar...

12g (=0.0.27), 1st-project (=1.0.2) +2827 more potentially affected by CVE-2023-25813 via sequelize (>=1.0.2 <=6.19.0)

sequelize NPM version =1.0.2, =0.0.1, =0.0.2, =0.0.1, =1.2.3, =1.0.0, =0.5.0, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =1.0.0, =2.0.1 - @aapokiiso/hsl-congestion-route-pattern-repository =1.0.0 and more Source cves: CVE-2023-25813 Source advisory: OSV:GHSA-WRH9-CJV3-2HPW...

GHSA-8MWQ-MJ73-QV68 Duplicate advisory: Sequelize vulnerable to Improper Filtering of Special Elements

Duplicate advisory This advisory has been withdrawn because it is a duplicate of GHSA-f598-mfpv-gmfx. This link is maintained to preserve external references. Original Description Due to improper attribute filtering in the sequelize js library, an attacker can peform SQL injections. This issue ca...

12g (=0.0.27), 1st-project (=1.0.2) +2909 more potentially affected by CVE-2023-22580 via sequelize (>=1.0.2 <=6.28.0)

sequelize NPM version =1.0.2, =0.0.1, =0.0.2, =0.0.1, =1.2.3, =1.0.0, =0.5.0, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =1.0.0, =2.0.1 - @aapokiiso/hsl-congestion-route-pattern-repository =1.0.0 and more Source cves: CVE-2023-22580 Source advisory: OSV:GHSA-8C25-F3MJ-V6H8...

12g (=0.0.27), 402 (>=0.0.2 <=0.1.1) +996 more potentially affected by unknown CVE via sequelize (>=1.0.2 <=4.44.3)

sequelize NPM version =1.0.2, =0.0.2, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =0.0.1, =1.1.7, =0.0.1, =1.0.0, =4.0.2, =5.2.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-FW4P-36J9-RRJ3...

@aaa-backend-stack/graphql (>=1.16.1 <=2.4.4), @aaa-backend-stack/graphql-rest-bindings (>=1.16.0 <=1.16.9) +264 more potentially affected by CVE-2019-10749 via sequelize (>=1.0.2 <=3.34.0)

sequelize NPM version =1.0.2, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.12.0, =1.0.22, =2.0.10, =1.0.97, =1.6.489, =1.6.735 and more Source cves: CVE-2019-10749 Source advisory: OSV:GHSA-2598-2F59-RMHQ...

1st-project (=1.0.2), @142vip/egg-sequelize (>=0.0.1 <=0.0.2) +1065 more potentially affected by CVE-2019-10748 via sequelize (>=5.10.0 <=5.8.10)

sequelize NPM version =5.10.0, =0.0.1, =0.5.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =1.0.1, =1.0.0, =0.2.0, =1.0.1, =1.0.2 - @aica/js-app =1.0.1 and more Source cves: CVE-2019-10748 Source advisory: OSV:GHSA-J9XP-92VC-559J...