Home / Vulnerability Intelligence / CVE-2026-33442

CVE-2026-33442 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 26, 2026

Kysely - SQL Injection

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Kysely 0.28.12 and 0.28.13 contain a SQL injection caused by improper escaping of backslashes in sanitizeStringLiteral method, letting attackers inject arbitrary SQL on MySQL with default BACKSLASH_ESCAPES mode, exploit requires crafted input.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 4.8%(Probability of exploitation in next 30 days)

Impact

Attackers can inject arbitrary SQL commands, potentially leading to data compromise or full database control.

Mitigation

Upgrade to version 0.28.14 or later.

References

https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-33442 - High (8.1) Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` → `''`) but does not escape backslashes. On MySQL with the default `BAC... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33442/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33442
Severity: High
CVSS Score: 8.1
Type: sql_injection
Status: new
EPSS: 4.8%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.8%Probability of exploitation in the next 30 days