Search for packages
| purl | pkg:npm/%40mikro-orm/core@5.7.2-dev.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4sgr-qjad-1qh7
Aliases: CVE-2026-34220 GHSA-gwhv-j974-6fxm |
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-x9vp-vd1f-eyex
Aliases: CVE-2026-34221 GHSA-qpfv-44f3-qqx6 |
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T21:41:59.635245+00:00 | GitLab Importer | Affected by | VCID-x9vp-vd1f-eyex | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@mikro-orm/core/CVE-2026-34221.yml | 38.6.0 |
| 2026-06-12T21:41:29.474121+00:00 | GitLab Importer | Affected by | VCID-4sgr-qjad-1qh7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@mikro-orm/core/CVE-2026-34220.yml | 38.6.0 |