← Retour aux CVEs
CVE-2026-33442
HIGH8.1
Description
Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` → `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue.
Details CVE
Score CVSS v3.18.1
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteHIGH
Privileges requisNONE
Interaction utilisateurNONE
Publie3/26/2026
Derniere modification3/31/2026
Sourcenvd
Observations honeypot0
Produits affectes
kysely:kysely
Faiblesses (CWE)
CWE-89
References
https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.