CVE-2026-30951 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-30951 PUBLISHED CVSS 7.5 HIGH

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.

EPSS 0.04% · 13.3th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.04%

13.3th percentile

Affected Products

Vendor	Product	Versions
sequelizejs	sequelize	0, 0, 0
sequelize	sequelize	>= 6.0.0-beta.1, < 6.37.8, >= 6.0.0-beta.1, < 6.37.8, >= 6.0.0-beta.1, < 6.37.8
npm	sequelize	6.0.0-beta.1, 6.0.0-beta.1, 6.0.0-beta.1

Timeline

Mar 10, 2026 CVE Published
Mar 11, 2026 EPSS Score
Mar 11, 2026 CVE Updated
Mar 12, 2026 EPSS Score
Mar 13, 2026 EPSS Score
Mar 14, 2026 EPSS Score
Mar 15, 2026 EPSS Score
Mar 16, 2026 EPSS Score
Mar 17, 2026 EPSS Score
Mar 17, 2026 Coalition ESS Score
Mar 17, 2026 Security Advisory
Mar 18, 2026 EPSS Score

References

Open in Interactive Console →