CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Packet Storm•added 2026/04/27 12:0 a.m.•114 views

📄 Sequelize 6.37.7 SQL Injection

A remote SQL injection vulnerability exists Sequelize versions 6.37.7 and below in the JSON/JSONB where clause processing. When Sequelize parses a JSON path key containing ::, the value after :: is treated as a SQL cast type and is inserted into the generated SQL without proper validation. If an...

EUVD•added 2026/03/11 12:18 a.m.•1 views

EUVD-2026-10870

Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type...

Snyk•added 2026/03/11 12:18 a.m.•1 views

SQL Injection

Overview sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server. Affected versions of this package are vulnerable to SQL Injection via the traverseJSON function, which escapes JSON path values but not cast types after the :: operator. An attacker ca...

8.7CVSS6AI score0.0002EPSS

EUVD•added 2026/03/11 12:18 a.m.•0 views

EUVD-2026-10871

Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type...

vulnersOsv•added 2026/03/11 12:18 a.m.•2 views

@142vip/egg (>=0.0.1-alpha.1 <=0.0.1-alpha.6), @142vip/egg-axios (>=0.0.1-alpha.1 <=0.0.1-alpha.2) +302 more potentially affected by CVE-2026-30951 via sequelize (>=6.0.0-beta.4 <=6.37.7)

sequelize NPM version =6.0.0-beta.4, =0.0.1-alpha.1, =0.0.1-alpha.1, =0.0.1-alpha.2, =0.0.1-alpha.2, =0.0.1-alpha.2, =1.2.3, =1.0.0, =15.0.0, =1.0.0, =0.18.0, =5.0.0-alpha.3, =13.5.0, =1.0.70, =1.0.155 and more Source cves: CVE-2026-30951 Source advisory: SNYK:JS-SEQUELIZE-15456219...

Github Security Blog•added 2026/03/11 12:18 a.m.•5 views

Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Summary SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST... AS SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data...

7.5CVSS6AI score0.0002EPSS

Exploits2References3Affected Software1

OSV•added 2026/03/11 12:18 a.m.•1 views

GHSA-6457-6JRX-69CR Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

7.5CVSS6.1AI score0.0002EPSS

Exploits2References3

vulnersOsv•added 2026/03/11 12:18 a.m.•4 views

@142vip/egg (>=0.0.1-alpha.1 <=0.0.1-alpha.6), @142vip/egg-axios (>=0.0.1-alpha.1 <=0.0.1-alpha.2) +302 more potentially affected by CVE-2026-30951 via sequelize (>=6.0.0-beta.4 <=6.37.7)

Tenable Nessus•added 2026/03/11 12:0 a.m.•2 views

Linux Distros Unpatched Vulnerability : CVE-2026-30951

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON functio...

7.5CVSS6AI score0.0002EPSS

NVD•added 2026/03/10 9:16 p.m.•1 views

CVE-2026-30951

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST... AS SQL. An attacker who controls JSON object...

7.5CVSS0.0002EPSS

Vulnrichment•added 2026/03/10 8:22 p.m.•0 views

CVE-2026-30951 SQL Injection via JSON Column Cast Type in Sequelize v6

Cvelist•added 2026/03/10 8:22 p.m.•22 views

CVE-2026-30951 Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

7.5CVSS0.0002EPSS

ATTACKERKB•added 2026/03/10 8:22 p.m.•0 views

CVE-2026-30951

Exploits2References2Affected Software1

OSV•added 2026/03/10 8:22 p.m.•1 views

CVE-2026-30951 Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

CVE•added 2026/03/10 8:22 p.m.•6 views

Exploits2References3

CVE-2026-30951

CVE-2026-30951 affects Sequelize (Node.js ORM). Prior to version 6.37.8, JSON/JSONB where-clause processing can interpolate an unescaped cast type via _traverseJSON(), inserting CAST(... AS ) with attacker-controlled JSON keys, enabling arbitrary SQL and data exfiltration from any table. The vuln...

Exploits2References1Affected Software1

CNNVD•added 2026/03/10 12:0 a.m.•2 views

Sequelize SQL注入漏洞

Sequelize is an open-source database ORM Object-Relational Mapping tool for Node.js. Versions of Sequelize prior to 6.37.8 had a SQL injection vulnerability. This vulnerability stemmed from type conversion that wasn’t properly escaped during the handling of JSON/JSONB WHERE clauses, which could...

Positive Technologies•added 2026/03/10 12:0 a.m.•1 views

PT-2026-24433

Name of the Vulnerable Software and Affected Versions Sequelize versions prior to 6.37.8 Description Sequelize, a Node.js ORM tool, contains a SQL injection flaw due to unescaped cast type handling within JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys using ':...

7.8CVSS5.9AI score0.0002EPSS

Exploits2References9

RedhatCVE•added 2026/01/09 10:12 a.m.•5 views

CVE-2019-11069

Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used...

7.5CVSS6.9AI score0.00275EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 9:1 a.m.•6 views

CVE-2023-25813

Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fix...

10CVSS7.7AI score0.03518EPSS