VulnerableCode Package Details - pkg:npm/%40mikro-orm/sql@7.0.13

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/%40mikro-orm/sql@7.0.13

Essentials
History (2)

purl	pkg:npm/%40mikro-orm/sql@7.0.13

Next non-vulnerable version	7.0.14
Latest non-vulnerable version	7.0.14
Risk	10.0

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-tyvj-2zym-rub7 Aliases: CVE-2026-44680 GHSA-cfw5-68c4-ffqp	MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14.	7.0.14 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:30:06.415156+00:00	GHSA Importer	Affected by	VCID-tyvj-2zym-rub7	https://github.com/advisories/GHSA-cfw5-68c4-ffqp	38.6.0
2026-06-12T22:24:58.310197+00:00	GitLab Importer	Affected by	VCID-tyvj-2zym-rub7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@mikro-orm/sql/CVE-2026-44680.yml	38.6.0