CVE-2026-33442

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33442
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33442.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33442
Aliases
Published
2026-03-26T17:01:57.866Z
Modified
2026-04-02T13:27:25.150920Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
Details

Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the sanitizeStringLiteral method in Kysely's query compiler escapes single quotes (''') but does not escape backslashes. On MySQL with the default BACKSLASH_ESCAPES SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33442.json"
}
References

Affected packages

Git / github.com/kysely-org/kysely

Affected ranges

Type
GIT
Repo
https://github.com/kysely-org/kysely
Events
Introduced
afc81a1a11a139114b891abd654424fcd8b6afaa
Fixed
91cf3733b2a419f5b17dff118cedb7052ab5300d
Database specific 
{
    "versions": [
        {
            "introduced": "0.28.12"
        },
        {
            "fixed": "0.28.14"
        }
    ]
}

Affected versions

v0.*
v0.28.12
v0.28.13

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33442.json"