CVE-2026-33468
Description
Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's DefaultQueryCompiler.sanitizeStringLiteral() only escapes single quotes by doubling them (' → '') but does not escape backslashes. When used with the MySQL dialect (where NO_BACKSLASH_ESCAPES is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses ImmediateValueTransformer to inline values — specifically CreateIndexBuilder.where() and CreateViewBuilder.as(). Version 0.28.14 contains a fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kyselynpm | < 0.28.14 | 0.28.14 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gxnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-8cpq-38p9-67gxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33468ghsaADVISORY
News mentions
0No linked articles in our index yet.