CVE-2026-33442
Received Received - Intake
SQL Injection in Kysely Query Compiler via Improper String Escaping

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` β†’ `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33442
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kysely kysely From 0.28.12 (inc) to 0.28.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33442 is a high-severity SQL Injection vulnerability in the Kysely TypeScript SQL query builder library, specifically in versions 0.28.12 and 0.28.13. The issue occurs because the method `sanitizeStringLiteral` escapes single quotes by doubling them but does not escape backslashes. On MySQL databases using the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote in JSON path keys, which neutralizes the escaping and breaks out of the string literal.

This allows the attacker to inject arbitrary SQL commands through JSON path builder methods like `.key()`. The vulnerability arises because MySQL interprets a backslash before a single quote as an escaped quote, allowing the attacker to terminate the string literal early and append malicious SQL.

The problem is fixed in version 0.28.14 by modifying the `sanitizeStringLiteral` method to also escape backslashes, preventing this bypass.

Impact Analysis

This vulnerability can lead to SQL Injection attacks, allowing an attacker to execute arbitrary SQL commands on your MySQL or MariaDB database when using Kysely versions 0.28.12 or 0.28.13.

  • Data exfiltration: Attackers can read sensitive data from the database.
  • Data modification: Attackers can alter or corrupt data.
  • Data deletion or full database compromise depending on the database user's privileges and configuration.

The attack requires no user interaction or privileges and can be performed remotely over the network, making it highly dangerous.

Detection Guidance

This vulnerability can be detected by analyzing queries generated by Kysely versions 0.28.12 and 0.28.13 that use JSON path keys with user-controlled input. Specifically, look for queries where JSON path string literals contain backslashes before single quotes, which may indicate an attempt to exploit the improper escaping.

To detect exploitation attempts on your system or network, you can monitor MySQL query logs for suspicious patterns such as JSON path expressions containing backslash-single quote sequences (e.g., \').

Example commands to search MySQL logs for potential exploitation attempts include:

  • Using grep on MySQL general query log or slow query log files to find suspicious JSON path keys: grep -E "\\'" /path/to/mysql/logfile.log
  • Using MySQL to search recent queries if query logging is enabled: SELECT * FROM mysql.general_log WHERE argument LIKE '%\\\'%';

Additionally, review application code or logs for usage of Kysely `.key()` or `.at()` methods with user input that might contain backslashes before single quotes.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Kysely to version 0.28.14 or later, where the `sanitizeStringLiteral` method has been fixed to properly escape backslashes in addition to single quotes.

If upgrading is not immediately possible, consider implementing a temporary workaround by overriding the `sanitizeStringLiteral` method in your MySQL-specific compiler to escape backslashes as well as single quotes.

Also, review and sanitize any user input passed to `.key()`, `.at()`, or other JSON path builder methods to ensure it does not contain malicious backslash-single quote sequences.

Finally, monitor your database logs for suspicious queries and consider restricting database user privileges and disabling multiple statement execution if possible to reduce the impact of any potential injection.

Compliance Impact

This vulnerability enables SQL Injection attacks that can lead to arbitrary SQL execution, including data exfiltration, modification, or deletion depending on database privileges.

Such unauthorized access or manipulation of sensitive data can result in violations of data protection regulations and standards like GDPR and HIPAA, which mandate the protection of personal and health information.

Therefore, if exploited, this vulnerability could compromise compliance by exposing or altering protected data without authorization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33442. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart