Kysely — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/kysely/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 26 Mar 2026 17:16:41 +0000Kysely SQL Injection Vulnerability (CVE-2026-33468)https://feed.craftedsignal.io/briefs/2024-01-02-kysely-sql-injection/Thu, 26 Mar 2026 17:16:41 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-kysely-sql-injection/A SQL injection vulnerability exists in Kysely versions prior to 0.28.14 due to insufficient backslash escaping in the `DefaultQueryCompiler.sanitizeStringLiteral()` function, potentially allowing attackers to inject arbitrary SQL when using the MySQL dialect, specifically affecting `CreateIndexBuilder.where()` and `CreateViewBuilder.as()` methods.Kysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability in versions prior to 0.28.14. The vulnerability, identified as CVE-2026-33468, stems from the DefaultQueryCompiler.sanitizeStringLiteral() function’s failure to properly escape backslashes. This incomplete sanitization, in conjunction with the MySQL dialect’s default setting where NO_BACKSLASH_ESCAPES is OFF, enables attackers to bypass string literal contexts by injecting arbitrary SQL…

]]>highadvisorykyselysql-injectioncve-2026-33468SQL Injection Vulnerability in Kysely TypeScript Library (CVE-2026-33442)https://feed.craftedsignal.io/briefs/2026-03-kysely-sql-injection/Thu, 26 Mar 2026 17:16:40 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-kysely-sql-injection/Kysely versions 0.28.12 and 0.28.13 are vulnerable to SQL injection due to insufficient escaping of backslashes in the `sanitizeStringLiteral` method, potentially leading to arbitrary SQL execution on MySQL servers.Kysely, a type-safe TypeScript SQL query builder, is susceptible to a SQL injection vulnerability identified as CVE-2026-33442. The vulnerability resides in the sanitizeStringLiteral method of the query compiler within versions 0.28.12 and 0.28.13. The method inadequately handles backslashes, failing to escape them, while properly escaping single quotes. On MySQL servers configured with the default BACKSLASH_ESCAPES SQL mode enabled, this oversight allows an attacker to inject a backslash…

]]>highadvisorysql-injectionkyselycve-2026-33442