PatchSiren

mikro-orm CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH mikro-orm CVE published 2026-05-26

CVE-2026-44680

MikroORM, a TypeScript ORM for Node.js, contains an SQL injection vulnerability in versions prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14. The vulnerability resides in the identifier-quoting helper (Platform.quoteIdentifier and PostgreSQL/MSSQL overrides) and JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey), which fail to properly escape characters that delimit SQL identifi [truncated]