Kysely SQL Injection Vulnerability (CVE-2026-33468)
A SQL injection vulnerability exists in Kysely versions prior to 0.28.14 due to insufficient backslash escaping in the `DefaultQueryCompiler.sanitizeStringLiteral()` function, potentially allowing attackers to inject arbitrary SQL when using the MySQL dialect, specifically affecting `CreateIndexBuilder.where()` and `CreateViewBuilder.as()` methods.
Kysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability in versions prior to 0.28.14. The vulnerability, identified as CVE-2026-33468, stems from the DefaultQueryCompiler.sanitizeStringLiteral() function’s failure to properly escape backslashes. This incomplete sanitization, in conjunction with the MySQL dialect’s default setting where NO_BACKSLASH_ESCAPES is OFF, enables attackers to bypass string literal contexts by injecting arbitrary SQL…
Detection coverage 2
Detect Suspicious Kysely Input
highDetects potentially malicious input strings containing backslashes followed by single quotes, which could indicate SQL injection attempts in Kysely applications.
Detect SQL Injection Attempts via URI
mediumDetects SQL injection attempts in the URI of HTTP requests by looking for common SQL injection characters and keywords.
Detection queries are kept inside the platform. Get full rules →