SQL Injection Vulnerability in Kysely TypeSafe TypeScript Query Builder
CVE-2026-33442

8.1HIGH

Key Information:

Vendor: Kysely-org
Status: Kysely
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33442?

The Kysely type-safe TypeScript SQL query builder contains a vulnerability in its sanitizeStringLiteral method, present in versions 0.28.12 and 0.28.13. This flaw occurs because while the method effectively escapes single quotes, it fails to escape backslashes. In a MySQL environment with the default BACKSLASH_ESCAPES mode enabled, an attacker could leverage this oversight to perform SQL injection attacks by injecting a backslash before a single quote. This could allow the attacker to bypass the intended string escaping, causing arbitrary SQL commands to be executed. Version 0.28.14 of Kysely has addressed this issue.

Affected Version(s)

kysely >= 0.28.12, < 0.28.14

References

https://github.com/kysely-org/kysely/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33442 Data

JSON

Kysely-org

What is CVE-2026-33442?

Affected Version(s)

References

CVSS V3.1

Timeline