EXECUTIVE SUMMARY:
CVE-2026-44680 with a CVSS score of 7.6 is a critical vulnerability in MikroORM, a popular ORM for TypeScript and JavaScript, affecting all supported SQL dialects. The vulnerability lies in the fact that MikroORM's identifier-quoting helper and JSON-path emitters do not properly escape characters that delimit the SQL identifier or string-literal context they emit into, allowing an attacker to inject arbitrary SQL. This is reachable when application code passes an attacker-influenced string to public ORM APIs, such as em.fork(), qb.withSchema(), em.find(), qb.where, qb.orderBy, qb.groupBy, qb.having, or qb.select keys. An attacker can exploit this vulnerability to read from any table/schema the database user has access to, execute additional arbitrary SQL statements, and even DROP/TRUNCATE data via injected statements. The business impact is significant, as confidentiality, integrity, and availability of the database can be compromised. To exploit this vulnerability, an attacker requires low privileges, and no user interaction is required. Prerequisites for exploitation include having access to the database user account and being able to manipulate the application code to pass attacker-influenced strings to the affected APIs.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44680 with a CVSS score of 7.6 is a critical vulnerability in MikroORM, a popular ORM for TypeScript and JavaScript, affecting all supported SQL dialects. The vulnerability lies in the fact that MikroORM's identifier-quoting helper and JSON-path emitters do not properly escape characters that delimit the SQL identifier or string-literal context they emit into, allowing an attacker to inject arbitrary SQL. This is reachable when application code passes an attacker-influenced string to public ORM APIs, such as em.fork(), qb.withSchema(), em.find(), qb.where, qb.orderBy, qb.groupBy, qb.having, or qb.select keys. An attacker can exploit this vulnerability to read from any table/schema the database user has access to, execute additional arbitrary SQL statements, and even DROP/TRUNCATE data via injected statements. The business impact is significant, as confidentiality, integrity, and availability of the database can be compromised. To exploit this vulnerability, an attacker requires low privileges, and no user interaction is required. Prerequisites for exploitation include having access to the database user account and being able to manipulate the application code to pass attacker-influenced strings to the affected APIs.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-cfw5-68c4-ffqp