{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0.28.12" }, { "fixed": "0.28.14" } ] }, "events": [ { "introduced": "afc81a1a11a139114b891abd654424fcd8b6afaa" }, { "fixed": "91cf3733b2a419f5b17dff118cedb7052ab5300d" } ], "repo": "https://github.com/kysely-org/kysely", "type": "GIT" } ] } ], "aliases": [ "GHSA-fr9j-6mvq-frcv" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-89" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33442.json" }, "details": "Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` → `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue.", "id": "CVE-2026-33442", "modified": "2026-04-01T23:10:06.979341829Z", "published": "2026-03-26T17:01:57.866Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33442.json" }, { "type": "ADVISORY", "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33442" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys." }