{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33442", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T18:45:22.438Z", "datePublished": "2026-03-26T17:01:57.866Z", "dateUpdated": "2026-03-26T18:47:53.070Z"}, "containers": {"cna": {"title": "Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv"}], "affected": [{"vendor": "kysely-org", "product": "kysely", "versions": [{"version": ">= 0.28.12, < 0.28.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:01:57.866Z"}, "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` \u2192 `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue."}], "source": {"advisory": "GHSA-fr9j-6mvq-frcv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:47:45.836821Z", "id": "CVE-2026-33442", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:47:53.070Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33442", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T18:47:45.836821Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:47:50.296Z"}}], "cna": {"title": "Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.", "source": {"advisory": "GHSA-fr9j-6mvq-frcv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kysely-org", "product": "kysely", "versions": [{"status": "affected", "version": ">= 0.28.12, < 0.28.14"}]}], "references": [{"url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv", "name": "https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` \u2192 `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:01:57.866Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33442", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:47:53.070Z", "dateReserved": "2026-03-19T18:45:22.438Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T17:01:57.866Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2CD191E8-8EA7-43BA-B237-9C2091B32B93", "versionEndExcluding": "0.28.14", "versionStartIncluding": "0.28.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` \u2192 `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue."}, {"lang": "es", "value": "Kysely es un constructor de consultas SQL de TypeScript con tipado seguro. En las versiones 0.28.12 y 0.28.13, el m\u00e9todo `sanitizeStringLiteral` en el compilador de consultas de Kysely escapa las comillas simples (`'` ? `''`) pero no escapa las barras invertidas. En MySQL con el modo SQL predeterminado `BACKSLASH_ESCAPES`, un atacante puede inyectar una barra invertida antes de una comilla simple para neutralizar el escape, saliendo del literal de cadena de ruta JSON e inyectando SQL arbitrario. La versi\u00f3n 0.28.14 corrige el problema."}], "id": "CVE-2026-33442", "lastModified": "2026-03-31T21:27:04.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:40.850", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.28.12,0.28.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "kysely", "source": "cna", "vendor": "kysely-org"}, "product": "kysely", "vendor": "kysely-org"}], "analysis": {"en": {"generated_at": "2026-04-01T07:09:38.064574+00:00", "value": {"mitigation_remediation": ["Upgrade Kysely to version 0.28.14 or later.", "Verify that the deployed version is not 0.28.12 or 0.28.13 and that the MySQL instance uses the default BACKSLASH_ESCAPES mode as described."], "summary": {"action": "Apply Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is Kysely, maintained by kysely\u2011org. Versions 0.28.12 and 0.28.13 are vulnerable when used with a MySQL backend that has the default BACKSLASH_ESCAPES mode enabled. All applications that rely on these library versions to build SQL queries from user\u2011supplied JSON path keys are at risk. The issue was remedied in version 0.28.14, which now properly escapes backslashes.", "description_and_impact": "Kysely\u2019s query compiler contains a flaw in the sanitizeStringLiteral method that only escapes single quotes but leaves backslashes untouched. On MySQL databases running the default BACKSLASH_ESCAPES mode, an attacker can prepend a backslash to an input string, neutralizing the escape of a following single quote. This allows the attacker to terminate the JSON path string literal and inject arbitrary SQL statements through the query builder, potentially causing unauthorized data disclosure or modification. The defect is a classic SQL injection weakness described by CWE\u201189.", "risk_and_exploitability": "The vulnerability scores 8.1 on the CVSS scale, indicating a high severity of potential impact. EPSS analysis shows the probability of exploitation is below 1%, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector involves an application that constructs dynamic SQL using JSON path keys, where an attacker can supply a crafted input to the underlying query builder. While exploitation enables arbitrary SQL execution, it requires the vulnerable library version and integration with a MySQL database running the default BACKSLASH_ESCAPES mode."}}}}, "created": "2026-03-27T08:33:38.450819+00:00", "updated": "2026-04-02T07:58:55.740011+00:00", "vendors": ["kysely-org", "kysely-org$PRODUCT$kysely"]}