Description
Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.
Recommendation
Update the payload package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.79.1
- Patched version(s): 3.79.1
References
Related Issues
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
- @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading - CVE-2026-41640
- Drizzle ORM has SQL injection via improperly escaped SQL identifiers - CVE-2026-39356
You might also like:
- Tags:
- npm
- payload
Anything's wrong? Let us know Last updated on April 06, 2026