{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33468", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.968Z", "datePublished": "2026-03-26T17:03:05.972Z", "dateUpdated": "2026-03-26T19:52:10.689Z"}, "containers": {"cna": {"title": "Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx"}], "affected": [{"vendor": "kysely-org", "product": "kysely", "versions": [{"version": "< 0.28.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:03:05.972Z"}, "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` \u2192 `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values \u2014 specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix."}], "source": {"advisory": "GHSA-8cpq-38p9-67gx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33468", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:48:27.840503Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:10.689Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33468", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:48:27.840503Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:50:36.120Z"}}], "cna": {"title": "Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings", "source": {"advisory": "GHSA-8cpq-38p9-67gx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kysely-org", "product": "kysely", "versions": [{"status": "affected", "version": "< 0.28.14"}]}], "references": [{"url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx", "name": "https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` \u2192 `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values \u2014 specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:03:05.972Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33468", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:10.689Z", "dateReserved": "2026-03-20T16:16:48.968Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T17:03:05.972Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "030AB58C-2968-4A93-8C8D-84D7A571BB94", "versionEndExcluding": "0.28.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` \u2192 `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values \u2014 specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix."}, {"lang": "es", "value": "Kysely es un constructor de consultas SQL de TypeScript con seguridad de tipos. Antes de la versi\u00f3n 0.28.14, `DefaultQueryCompiler.sanitizeStringLiteral()` de Kysely solo escapaba las comillas simples duplic\u00e1ndolas ('`'` ? `''`) pero no escapaba las barras invertidas. Cuando se usa con el dialecto de MySQL (donde `NO_BACKSLASH_ESCAPES` est\u00e1 DESACTIVADO por defecto), un atacante puede usar una barra invertida para escapar la comilla final de un literal de cadena, saliendo del contexto de la cadena e inyectando SQL arbitrario. Esto afecta a cualquier ruta de c\u00f3digo que utilice `ImmediateValueTransformer` para incrustar valores \u2014 espec\u00edficamente `CreateIndexBuilder.where()` y `CreateViewBuilder.as()`. La versi\u00f3n 0.28.14 contiene una correcci\u00f3n."}], "id": "CVE-2026-33468", "lastModified": "2026-03-31T21:24:51.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:41.007", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.28.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "kysely", "source": "cna", "vendor": "kysely-org"}, "product": "kysely", "vendor": "kysely-org"}], "analysis": {"en": {"generated_at": "2026-04-01T06:48:50.575119+00:00", "value": {"mitigation_remediation": ["Upgrade to kysely v0.28.14 or newer."], "summary": {"action": "Apply Patch", "impact": "SQL Injection allowing arbitrary query execution"}, "threat_synthesis": {"affected_systems": "The flaw affects all projects that use the kysely library before version 0.28.14. Any Node.js application that imports this library, targets a MySQL database, and inline values in query builder methods is potentially vulnerable. The vendor identified is kysely-org, and the affected product is the Kysely library. The fix is delivered in release 0.28.14.", "description_and_impact": "Kysely is a type\u2011safe TypeScript SQL query builder. Prior to version 0.28.14 the sanitation routine for string literals only doubled single quotes but left backslashes untouched. In MySQL, where NO_BACKSLASH_ESCAPES is OFF by default, an attacker can inject a backslash to terminate the string literal, break out of the string context, and execute arbitrary SQL. This control flow is reachable through any code path that uses the ImmediateValueTransformer, such as CreateIndexBuilder.where() or CreateViewBuilder.as(). The vulnerability permits the attacker to inject malicious SQL statements, compromising the confidentiality, integrity, and availability of the database.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, yet the EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the application accepts unsanitized user input that is inlined into SQL queries and that the MySQL connection uses the default backslash escaping. Without updating to v0.28.14, the risk remains legitimate."}}}}, "created": "2026-03-27T08:33:37.512321+00:00", "updated": "2026-04-02T07:56:38.018172+00:00", "vendors": ["kysely-org", "kysely-org$PRODUCT$kysely"]}