CVE-2026-22814

216.73.216.233

· Published 13/01/2026 20:16 · Modified 14/01/2026 16:25

Labels: CVE-2026-22814 2026-01-13 CVE-2026-22814 CWE-915 [email protected]

Essential information

Published: 13/01/2026 20:16
Modified: 14/01/2026 16:25
Author: —
Creator: —
CVSS: 8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
adonisjs / lucid	`cpe:2.3:a:adonisjs:lucid:<21.8.2::::::`
adonisjs / lucid	`cpe:2.3:a:adonisjs:lucid:22.0.0-next::::::`