CVE-2026-33468

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33468
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33468.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33468
Aliases
Downstream
Related
Published
2026-03-26T17:03:05.972Z
Modified
2026-04-10T05:43:05.523849Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
Details

Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's DefaultQueryCompiler.sanitizeStringLiteral() only escapes single quotes by doubling them (''') but does not escape backslashes. When used with the MySQL dialect (where NO_BACKSLASH_ESCAPES is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses ImmediateValueTransformer to inline values — specifically CreateIndexBuilder.where() and CreateViewBuilder.as(). Version 0.28.14 contains a fix.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33468.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/kysely-org/kysely

Affected ranges

Type
GIT
Repo
https://github.com/kysely-org/kysely
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
91cf3733b2a419f5b17dff118cedb7052ab5300d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.28.14"
        }
    ]
}

Affected versions

0.*
0.10.0
0.10.1
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.12.0
0.12.1
0.12.2
0.13.0
0.14.0
0.14.1
0.15.0
0.15.1
0.15.2
0.15.3
0.16.0
0.16.1
0.16.10
0.16.11
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.16.7
0.16.8
0.16.9
0.17.0
0.17.2
0.17.3
0.18.0
0.18.1
0.19.0
0.19.1
0.19.10
0.19.11
0.19.12
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6
0.19.7
0.19.8
0.19.9
0.20.0
0.20.1
0.21.0
0.21.1
0.21.2
0.21.3
0.21.4
0.21.5
0.21.6
0.22.0
0.23.0
0.23.1
0.23.2
0.23.3
0.23.4
0.23.5
0.24.0
0.24.2
0.25.0
0.26.0
0.26.1
0.26.2
0.26.3
0.27.0
0.27.1
0.27.2
0.27.3
0.27.4
0.27.5
0.27.6
0.28.0
0.28.1
0.28.2
0.7.8
0.7.9
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
v0.*
v0.28.10
v0.28.11
v0.28.12
v0.28.13
v0.28.3
v0.28.4
v0.28.5
v0.28.6
v0.28.7
v0.28.8
v0.28.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33468.json"