SQL Injection Vulnerability in Kysely TypeScript Library (CVE-2026-33442)
Kysely versions 0.28.12 and 0.28.13 are vulnerable to SQL injection due to insufficient escaping of backslashes in the `sanitizeStringLiteral` method, potentially leading to arbitrary SQL execution on MySQL servers.
Kysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability identified as CVE-2026-33442. The vulnerability resides in the sanitizeStringLiteral method of the query compiler within versions 0.28.12 and 0.28.13. The method inadequately handles backslashes, failing to escape them, while properly escaping single quotes. On MySQL servers configured with the default BACKSLASH_ESCAPES SQL mode enabled, this oversight allows an attacker to inject a backslash…
Detection coverage 2
Detect Potential SQL Injection via Backslash-Quote in Web Logs
highDetects potential SQL injection attempts exploiting the Kysely vulnerability (CVE-2026-33442) by searching for backslash-quote patterns in web server logs.
Detect Potential SQL Injection via Backslash-Quote in Application Logs
highDetects potential SQL injection attempts exploiting the Kysely vulnerability (CVE-2026-33442) by searching for backslash-quote patterns in application logs.
Detection queries are kept inside the platform. Get full rules →