Description
Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.
Recommendation
Update the payload package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.79.1
- Patched version(s): 3.79.1
References
Related Issues
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading - CVE-2026-41640
- Drizzle ORM has SQL injection via improperly escaped SQL identifiers - CVE-2026-39356
- Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that - CVE-2026-33468
You might also like:
- Tags:
- npm
- payload
Anything's wrong? Let us know Last updated on April 06, 2026