CVE-2026-32763

{"id": "CVE-2026-32763", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T00:16:17.790", "references": [{"url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers \u2014 both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue."}, {"lang": "es", "value": "Kysely es un constructor de consultas SQL de TypeScript con seguridad de tipos. Las versiones hasta la 0.28.11 inclusive tienen una vulnerabilidad de inyecci\u00f3n SQL en la compilaci\u00f3n de rutas JSON para los dialectos de MySQL y SQLite. La funci\u00f3n visitJSONPathLeg() a\u00f1ade valores controlados por el usuario de .key() y .at() directamente en literales de cadena de ruta JSON entre comillas simples ('$.key') sin escapar las comillas simples. Un atacante puede salir del contexto de la cadena de ruta JSON e inyectar SQL arbitrario. Esto es inconsistente con sanitizeIdentifier(), que duplica correctamente los caracteres delimitadores para los identificadores \u2014 ambos son constructos SQL no parametrizables que requieren escape manual, pero solo los identificadores est\u00e1n protegidos. La versi\u00f3n 0.28.12 corrige el problema."}], "lastModified": "2026-04-08T20:57:45.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B1A94611-2C50-4312-ABC1-22E5B3BB63E3", "versionEndExcluding": "0.28.12", "versionStartIncluding": "0.26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}