CVE-2026-33442
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` โ `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue.
| CWE | CWE-89 |
| Vendor | kysely-org |
| Product | kysely |
| Published | Mar 26, 2026 |
| Last Updated | Mar 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for kysely-org kysely
Be the first to know when new high vulnerabilities affecting kysely-org kysely are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
kysely-org / kysely
>= 0.28.12, < 0.28.14