{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32763", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.533Z", "datePublished": "2026-03-19T23:14:58.747Z", "dateUpdated": "2026-03-21T03:05:22.505Z"}, "containers": {"cna": {"title": "SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66"}, {"name": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24", "tags": ["x_refsource_MISC"], "url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24"}, {"name": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12"}], "affected": [{"vendor": "kysely-org", "product": "kysely", "versions": [{"version": ">= 0.26.0, < 0.28.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:14:58.747Z"}, "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers \u2014 both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue."}], "source": {"advisory": "GHSA-wmrf-hv6w-mr66", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T03:04:47.575074Z", "id": "CVE-2026-32763", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:05:22.505Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32763", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T03:04:47.575074Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:05:00.664Z"}}], "cna": {"title": "SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.", "source": {"advisory": "GHSA-wmrf-hv6w-mr66", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kysely-org", "product": "kysely", "versions": [{"status": "affected", "version": ">= 0.26.0, < 0.28.12"}]}], "references": [{"url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66", "name": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24", "name": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12", "name": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers \u2014 both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:14:58.747Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32763", "state": "PUBLISHED", "dateUpdated": "2026-03-21T03:05:22.505Z", "dateReserved": "2026-03-13T18:53:03.533Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T23:14:58.747Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B1A94611-2C50-4312-ABC1-22E5B3BB63E3", "versionEndExcluding": "0.28.12", "versionStartIncluding": "0.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers \u2014 both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue."}, {"lang": "es", "value": "Kysely es un constructor de consultas SQL de TypeScript con seguridad de tipos. Las versiones hasta la 0.28.11 inclusive tienen una vulnerabilidad de inyecci\u00f3n SQL en la compilaci\u00f3n de rutas JSON para los dialectos de MySQL y SQLite. La funci\u00f3n visitJSONPathLeg() a\u00f1ade valores controlados por el usuario de .key() y .at() directamente en literales de cadena de ruta JSON entre comillas simples ('$.key') sin escapar las comillas simples. Un atacante puede salir del contexto de la cadena de ruta JSON e inyectar SQL arbitrario. Esto es inconsistente con sanitizeIdentifier(), que duplica correctamente los caracteres delimitadores para los identificadores \u2014 ambos son constructos SQL no parametrizables que requieren escape manual, pero solo los identificadores est\u00e1n protegidos. La versi\u00f3n 0.28.12 corrige el problema."}], "id": "CVE-2026-32763", "lastModified": "2026-04-08T20:57:45.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:17.790", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.26.0,0.28.12)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "kysely", "source": "cna", "vendor": "kysely-org"}, "product": "kysely", "vendor": "kysely-org"}], "analysis": {"en": {"generated_at": "2026-04-08T23:39:08.391567+00:00", "value": {"mitigation_remediation": ["Upgrade to Kysely\u202f0.28.12 or later to apply the fix.", "If an immediate upgrade is not possible, avoid passing untrusted data to the .key() or .at() methods; instead validate or escape values manually and use Kysely\u2019s identifier sanitization utilities when constructing JSON paths."], "summary": {"action": "Patch Now", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Any Node.js application that imports the kysely-org/kysely library and uses the .key() or .at() methods to build JSON path expressions against MySQL or SQLite is affected. All releases up to 0.28.11 are vulnerable; the fix is included in release 0.28.12 and later.", "description_and_impact": "Kysely is a type\u2011safe TypeScript SQL query builder. In versions up to and including 0.28.11, the JSON path compiler for MySQL and SQLite concatenates user\u2011controlled values supplied via the .key() and .at() methods directly into single\u2011quoted JSON path string literals without escaping single quotes. This omission permits an attacker to terminate the JSON path string and injected malicious SQL into the query. The flaw is a classic SQL Injection (CWE\u201189) that can allow an attacker to read, modify or delete data in the database, thereby compromising confidentiality, integrity, and availability of the application\u2019s data.", "risk_and_exploitability": "The vulnerability carries a high severity with a CVSS score of 8.2. Its EPSS score is below 1% and it is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation for the time being. However, the attack vector is straightforward: an attacker who can influence data passed to .key() or .at() can inject arbitrary SQL. This can provide the same level of access as the application, potentially leading to data exfiltration or modification."}}}}, "created": "2026-03-20T08:54:19.464725+00:00", "updated": "2026-04-09T08:29:44.124996+00:00", "vendors": ["kysely-org", "kysely-org$PRODUCT$kysely"]}