Bug 2446250 (CVE-2026-30951)
| Summary: | CVE-2026-30951 sequelize: Sequelize: Data exfiltration via SQL injection in JSON/JSONB where clause processing | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | anthomas, ehelms, ggainey, juwatts, mhulan, mstipich, nmoumoul, osousa, pcreech, rchan, rexwhite, smallamp, sthirugn, tmalecek |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Sequelize, a Node.js Object-Relational Mapper (ORM) tool. A remote attacker can exploit a SQL injection vulnerability by manipulating JSON object keys during JSON/JSONB where clause processing. This allows for the injection of arbitrary SQL commands due to the improper handling of cast types. The primary consequence is the potential for unauthorized data exfiltration from any database table.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2446300 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-03-10 21:01:40 UTC
|