VYPR
High severity8.1NVD Advisory· Published Mar 26, 2026· Updated Mar 31, 2026

CVE-2026-33468

CVE-2026-33468

Description

Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's DefaultQueryCompiler.sanitizeStringLiteral() only escapes single quotes by doubling them (''') but does not escape backslashes. When used with the MySQL dialect (where NO_BACKSLASH_ESCAPES is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses ImmediateValueTransformer to inline values — specifically CreateIndexBuilder.where() and CreateViewBuilder.as(). Version 0.28.14 contains a fix.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
kyselynpm
< 0.28.140.28.14

Affected products

12

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.