{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "ae06b4552bfcda5a91089c2f3a71d7897b9205b9"
            },
            {
              "fixed": "cb7f99ad05de56137672ab95586359ff6ceba004"
            }
          ],
          "repo": "https://github.com/sequelize/sequelize",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-6457-6jrx-69cr"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30951.json"
  },
  "details": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS \u003ctype\u003e) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.",
  "id": "CVE-2026-30951",
  "modified": "2026-04-01T23:08:17.087279799Z",
  "published": "2026-03-10T20:22:46.150Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30951.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30951"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type"
}