CVE-2026-33468
Published: 26 March 2026
Summary
CVE-2026-33468 is a high-severity SQL Injection (CWE-89) vulnerability in Kysely Kysely. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33468 is a SQL injection vulnerability in Kysely, a type-safe TypeScript SQL query builder, affecting versions prior to 0.28.14. The flaw resides in the `DefaultQueryCompiler.sanitizeStringLiteral()` function, which escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. In the MySQL dialect, where `NO_BACKSLASH_ESCAPES` is off by default, this allows an attacker to use a backslash to escape the trailing quote of a string literal, breaking out of the string context to inject arbitrary SQL. The vulnerability impacts code paths that use `ImmediateValueTransformer` to inline values, specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`.
The attack requires network access with no privileges or user interaction but demands high complexity, earning a CVSS 3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Remote unauthenticated attackers can exploit it by supplying malicious input to affected query builder methods, enabling arbitrary SQL injection. This could lead to unauthorized data access, modification, or deletion, classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
The Kysely GitHub security advisory recommends upgrading to version 0.28.14, which includes a fix for proper backslash escaping. Practitioners should review applications using Kysely with MySQL for exposure in the specified builders and apply the patch promptly. Details are available at https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16265
Vulnerability details
Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by…
more
default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in Kysely query builder (via unsanitized input to CreateIndexBuilder.where() and CreateViewBuilder.as()) enables remote unauthenticated attackers to execute arbitrary SQL against MySQL-backed applications, directly mapping to exploitation of public-facing apps.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation by upgrading Kysely to version 0.28.14 directly eliminates the SQL injection vulnerability in the sanitizeStringLiteral function.
Validating information inputs to affected Kysely methods like CreateIndexBuilder.where() and CreateViewBuilder.as() prevents malicious payloads from breaking out of string literals.
Vulnerability scanning identifies the presence of vulnerable Kysely versions prior to 0.28.14 in application dependencies.