Cyber Resilience

CVE-2026-33442

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 35.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33442 is a high-severity SQL Injection (CWE-89) vulnerability in Kysely Kysely. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33442 is a SQL injection vulnerability (CWE-89) affecting Kysely, a type-safe TypeScript SQL query builder, specifically in versions 0.28.12 and 0.28.13. The flaw resides in the `sanitizeStringLiteral` method within Kysely's query compiler, which escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. This incomplete escaping enables attackers to break out of JSON path string literals when using MySQL databases in the default `BACKSLASH_ESCAPES` SQL mode.

A remote, unauthenticated attacker can exploit this vulnerability over the network by injecting a backslash before a single quote, neutralizing the single-quote escaping and allowing arbitrary SQL injection. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high attack complexity but potential for high impacts on confidentiality, integrity, and availability once exploited.

Kysely version 0.28.14 addresses the issue with a fix to the escaping logic. Additional details are available in the GitHub security advisory at https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` → `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an…

more

attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in network-reachable query builder directly enables remote exploitation of public-facing applications (arbitrary SQL commands over the network with no auth required).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32763Same product: Kysely Kysely
CVE-2026-33468Same product: Kysely Kysely
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89

Affected Assets

kysely
kysely
0.28.12 — 0.28.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation by patching Kysely to version 0.28.14 or later directly eliminates the flawed escaping logic enabling SQL injection.

prevent

Validating information inputs to the query builder prevents acceptance of malicious payloads like backslash-preceded single quotes that exploit the escaping flaw.

detect

Vulnerability scanning identifies deployments using vulnerable Kysely versions 0.28.12 or 0.28.13, enabling proactive remediation.

References