VYPR

npm package

kysely

pkg:npm/kysely

Vulnerabilities (4)

  • CVE-2026-44635HigMay 27, 2026
    affected >= 0.26.0, < 0.28.17fixed 0.28.17

    Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into eb.ref(col, '->$').key(input) or .at(input) — including type-s

  • CVE-2026-33468HigMar 26, 2026
    affected < 0.28.14fixed 0.28.14

    Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ES

  • CVE-2026-33442HigMar 26, 2026
    affected >= 0.28.12, < 0.28.14fixed 0.28.14

    Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` → `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an attack

  • CVE-2026-32763HigMar 20, 2026
    affected >= 0.26.0, < 0.28.12fixed 0.28.12

    Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly i