CVE-2026-33442
Published: 26 March 2026
Summary
CVE-2026-33442 is a high-severity SQL Injection (CWE-89) vulnerability in Kysely Kysely. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33442 is a SQL injection vulnerability (CWE-89) affecting Kysely, a type-safe TypeScript SQL query builder, specifically in versions 0.28.12 and 0.28.13. The flaw resides in the `sanitizeStringLiteral` method within Kysely's query compiler, which escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. This incomplete escaping enables attackers to break out of JSON path string literals when using MySQL databases in the default `BACKSLASH_ESCAPES` SQL mode.
A remote, unauthenticated attacker can exploit this vulnerability over the network by injecting a backslash before a single quote, neutralizing the single-quote escaping and allowing arbitrary SQL injection. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high attack complexity but potential for high impacts on confidentiality, integrity, and availability once exploited.
Kysely version 0.28.14 addresses the issue with a fix to the escaping logic. Additional details are available in the GitHub security advisory at https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16264
Vulnerability details
Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` → `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an…
more
attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-reachable query builder directly enables remote exploitation of public-facing applications (arbitrary SQL commands over the network with no auth required).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation by patching Kysely to version 0.28.14 or later directly eliminates the flawed escaping logic enabling SQL injection.
Validating information inputs to the query builder prevents acceptance of malicious payloads like backslash-preceded single quotes that exploit the escaping flaw.
Vulnerability scanning identifies deployments using vulnerable Kysely versions 0.28.12 or 0.28.13, enabling proactive remediation.