{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33468/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kysely","sql-injection","cve-2026-33468"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability in versions prior to 0.28.14. The vulnerability, identified as CVE-2026-33468, stems from the \u003ccode\u003eDefaultQueryCompiler.sanitizeStringLiteral()\u003c/code\u003e function\u0026rsquo;s failure to properly escape backslashes. This incomplete sanitization, in conjunction with the MySQL dialect\u0026rsquo;s default setting where \u003ccode\u003eNO_BACKSLASH_ESCAPES\u003c/code\u003e is OFF, enables attackers to bypass string literal contexts by injecting arbitrary SQL…\u003c/p\u003e\n","date_modified":"2026-03-26T17:16:41Z","date_published":"2026-03-26T17:16:41Z","id":"/briefs/2024-01-02-kysely-sql-injection/","summary":"A SQL injection vulnerability exists in Kysely versions prior to 0.28.14 due to insufficient backslash escaping in the `DefaultQueryCompiler.sanitizeStringLiteral()` function, potentially allowing attackers to inject arbitrary SQL when using the MySQL dialect, specifically affecting `CreateIndexBuilder.where()` and `CreateViewBuilder.as()` methods.","title":"Kysely SQL Injection Vulnerability (CVE-2026-33468)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-kysely-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33468","version":"https://jsonfeed.org/version/1.1"}