CVE-2026-34220

Name of the Vulnerable Software and Affected Versions MikroORM versions 6.6.9 and earlier MikroORM versions 7.0.5 and earlier

Description MikroORM is susceptible to SQL injection when processing specially crafted objects as raw SQL query fragments. If user-controlled input is directly passed to MikroORM query construction APIs, an attacker may inject raw SQL fragments, potentially leading to SQL injection depending on the database and query being executed. The issue arises when untrusted objects are used with ORM write APIs, including wrap(entity).assign(userInput) followed by em.flush(), em.nativeUpdate(), em.nativeInsert(), and em.create() followed by em.flush(). Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected. The root cause was duck-typed detection of internal ORM marker properties, which the fix replaces with symbol-based markers that cannot be reproduced by user input.

Recommendations Versions 6.6.9 and earlier should be updated. Versions 7.0.5 and earlier should be updated.