Cyber Resilience

CVE-2026-33468

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 33.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33468 is a high-severity SQL Injection (CWE-89) vulnerability in Kysely Kysely. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33468 is a SQL injection vulnerability in Kysely, a type-safe TypeScript SQL query builder, affecting versions prior to 0.28.14. The flaw resides in the `DefaultQueryCompiler.sanitizeStringLiteral()` function, which escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. In the MySQL dialect, where `NO_BACKSLASH_ESCAPES` is off by default, this allows an attacker to use a backslash to escape the trailing quote of a string literal, breaking out of the string context to inject arbitrary SQL. The vulnerability impacts code paths that use `ImmediateValueTransformer` to inline values, specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`.

The attack requires network access with no privileges or user interaction but demands high complexity, earning a CVSS 3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Remote unauthenticated attackers can exploit it by supplying malicious input to affected query builder methods, enabling arbitrary SQL injection. This could lead to unauthorized data access, modification, or deletion, classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The Kysely GitHub security advisory recommends upgrading to version 0.28.14, which includes a fix for proper backslash escaping. Practitioners should review applications using Kysely with MySQL for exposure in the specified builders and apply the patch promptly. Details are available at https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by…

more

default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in Kysely query builder (via unsanitized input to CreateIndexBuilder.where() and CreateViewBuilder.as()) enables remote unauthenticated attackers to execute arbitrary SQL against MySQL-backed applications, directly mapping to exploitation of public-facing apps.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32763Same product: Kysely Kysely
CVE-2026-33442Same product: Kysely Kysely
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89

Affected Assets

kysely
kysely
≤ 0.28.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation by upgrading Kysely to version 0.28.14 directly eliminates the SQL injection vulnerability in the sanitizeStringLiteral function.

prevent

Validating information inputs to affected Kysely methods like CreateIndexBuilder.where() and CreateViewBuilder.as() prevents malicious payloads from breaking out of string literals.

detect

Vulnerability scanning identifies the presence of vulnerable Kysely versions prior to 0.28.14 in application dependencies.

References