https://feed.craftedsignal.io/tags/cve-2026-33468/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 26 Mar 2026 17:16:41 +0000https://feed.craftedsignal.io/briefs/2024-01-02-kysely-sql-injection/Thu, 26 Mar 2026 17:16:41 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-kysely-sql-injection/A SQL injection vulnerability exists in Kysely versions prior to 0.28.14 due to insufficient backslash escaping in the `DefaultQueryCompiler.sanitizeStringLiteral()` function, potentially allowing attackers to inject arbitrary SQL when using the MySQL dialect, specifically affecting `CreateIndexBuilder.where()` and `CreateViewBuilder.as()` methods.Kysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability in versions prior to 0.28.14. The vulnerability, identified as CVE-2026-33468, stems from the DefaultQueryCompiler.sanitizeStringLiteral() function’s failure to properly escape backslashes. This incomplete sanitization, in conjunction with the MySQL dialect’s default setting where NO_BACKSLASH_ESCAPES is OFF, enables attackers to bypass string literal contexts by injecting arbitrary SQL…

]]>highadvisorykyselysql-injectioncve-2026-33468