Sequelize

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest

CVE-2026-30951 HIGH PATCH This Week

SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. Node.js applications using affected Sequelize versions are at risk of complete database compromise.

Node.js SQLi Sequelize

NVD GitHub VulDB

CVSS 3.1

7.5

EPSS

0.0%

CVE-2026-30951

EPSS 0% CVSS 7.5

HIGH PATCH This Week

SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. Node.js applications using affected Sequelize versions are at risk of complete database compromise.

Node.js SQLi Sequelize

NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy