What is CVE-2026-34220?

CVE-2026-34220 is a vulnerability in Mikro-orm, classified under SQL Injection. Published 2026-03-31.

Is CVE-2026-34220 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SQL Injection in Mikro-orm

CVE-2026-34220

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL que…

Vulnerability class: SQL Injection

EPSS: 0.000 (3.1th percentile) — read the EPSS interpretation.

Affected products

Mikro-orm — versions < 6.6.10, >= 7.0.0-rc.0, < 7.0.6

Weakness classification (CWE)

CWE-89 — SQL Injection

Public proof-of-concept exploits

EQSTLab/CVE-2026-34220

References

https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-34220?: CVE-2026-34220 is a vulnerability in Mikro-orm, classified under SQL Injection. Published 2026-03-31.
Is CVE-2026-34220 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.