Type-safe TypeScript SQL Query Builder Vulnerability in Kysely
CVE-2026-33468

8.1HIGH

Key Information:

Vendor: Kysely-org
Status: Kysely
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33468?

Kysely, a type-safe TypeScript SQL query builder, has a vulnerability in its DefaultQueryCompiler.sanitizeStringLiteral() method prior to version 0.28.14. This method only addresses the escaping of single quotes by doubling them but fails to escape backslashes. In environments using the MySQL dialect with NO_BACKSLASH_ESCAPES set to OFF, an attacker may exploit this oversight. By using a backslash in a string literal, they can bypass the intended string context, leading to arbitrary SQL injection. This issue prominently affects code paths utilizing ImmediateValueTransformer for inlining values, especially noted in CreateIndexBuilder.where() and CreateViewBuilder.as(). Version 0.28.14 rectifies this vulnerability.

Affected Version(s)

kysely < 0.28.14

References

https://github.com/kysely-org/kysely/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33468 Data

JSON

Kysely-org

What is CVE-2026-33468?

Affected Version(s)

References

CVSS V3.1

Timeline