CVE-2026-30951

HIGH WAF: High

CVSS 7.5 Published: 2026-03-10

CWE-89

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS ) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.

WAF Coverage Analysis

SQL Injection High WAF Coverage

OWASP: A03:2021 Injection

942xxx - SQL Injection

Affected Software

Vendor	Product	Version
sequelizejs	sequelize	up to 6.37.8

References

github.com (Exploit, Mitigation, Vendor Advisory)

Back to CVE Database