{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kysely/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kysely","sql-injection","cve-2026-33468"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability in versions prior to 0.28.14. The vulnerability, identified as CVE-2026-33468, stems from the \u003ccode\u003eDefaultQueryCompiler.sanitizeStringLiteral()\u003c/code\u003e function\u0026rsquo;s failure to properly escape backslashes. This incomplete sanitization, in conjunction with the MySQL dialect\u0026rsquo;s default setting where \u003ccode\u003eNO_BACKSLASH_ESCAPES\u003c/code\u003e is OFF, enables attackers to bypass string literal contexts by injecting arbitrary SQL…\u003c/p\u003e\n","date_modified":"2026-03-26T17:16:41Z","date_published":"2026-03-26T17:16:41Z","id":"/briefs/2024-01-02-kysely-sql-injection/","summary":"A SQL injection vulnerability exists in Kysely versions prior to 0.28.14 due to insufficient backslash escaping in the `DefaultQueryCompiler.sanitizeStringLiteral()` function, potentially allowing attackers to inject arbitrary SQL when using the MySQL dialect, specifically affecting `CreateIndexBuilder.where()` and `CreateViewBuilder.as()` methods.","title":"Kysely SQL Injection Vulnerability (CVE-2026-33468)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-kysely-sql-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","kysely","cve-2026-33442"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability identified as CVE-2026-33442. The vulnerability resides in the \u003ccode\u003esanitizeStringLiteral\u003c/code\u003e method of the query compiler within versions 0.28.12 and 0.28.13. The method inadequately handles backslashes, failing to escape them, while properly escaping single quotes. On MySQL servers configured with the default \u003ccode\u003eBACKSLASH_ESCAPES\u003c/code\u003e SQL mode enabled, this oversight allows an attacker to inject a backslash…\u003c/p\u003e\n","date_modified":"2026-03-26T17:16:40Z","date_published":"2026-03-26T17:16:40Z","id":"/briefs/2026-03-kysely-sql-injection/","summary":"Kysely versions 0.28.12 and 0.28.13 are vulnerable to SQL injection due to insufficient escaping of backslashes in the `sanitizeStringLiteral` method, potentially leading to arbitrary SQL execution on MySQL servers.","title":"SQL Injection Vulnerability in Kysely TypeScript Library (CVE-2026-33442)","url":"https://feed.craftedsignal.io/briefs/2026-03-kysely-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Kysely","version":"https://jsonfeed.org/version/1.1"}