CVE-2026-33468

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-33468
Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*
History

31 Mar 2026, 21:24

Type Values Removed Values Added
CPE cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*
References () https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx - () https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx - Exploit, Mitigation, Vendor Advisory
First Time Kysely kysely
Kysely

30 Mar 2026, 13:26

Type Values Removed Values Added
Summary
  • (es) Kysely es un constructor de consultas SQL de TypeScript con seguridad de tipos. Antes de la versión 0.28.14, `DefaultQueryCompiler.sanitizeStringLiteral()` de Kysely solo escapaba las comillas simples duplicándolas ('`'` ? `''`) pero no escapaba las barras invertidas. Cuando se usa con el dialecto de MySQL (donde `NO_BACKSLASH_ESCAPES` está DESACTIVADO por defecto), un atacante puede usar una barra invertida para escapar la comilla final de un literal de cadena, saliendo del contexto de la cadena e inyectando SQL arbitrario. Esto afecta a cualquier ruta de código que utilice `ImmediateValueTransformer` para incrustar valores — específicamente `CreateIndexBuilder.where()` y `CreateViewBuilder.as()`. La versión 0.28.14 contiene una corrección.

26 Mar 2026, 17:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-26 17:16

Updated : 2026-03-31 21:24

NVD link : CVE-2026-33468

Mitre link : CVE-2026-33468

CVE.ORG link : CVE-2026-33468

JSON object : View

Products Affected

kysely

  • kysely
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')