Home / Vulnerability Intelligence / CVE-2026-33468

CVE-2026-33468 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 26, 2026

Kysely - SQL Injection

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Kysely < 0.28.14 contains a SQL injection caused by improper escaping of backslashes in string literals in DefaultQueryCompiler.sanitizeStringLiteral(), letting attackers inject arbitrary SQL via ImmediateValueTransformer in MySQL dialect, exploit requires crafted input.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 4.8%(Probability of exploitation in next 30 days)

Impact

Attackers can inject arbitrary SQL commands, potentially leading to data leakage, modification, or full database compromise.

Mitigation

Upgrade to version 0.28.14 or later.

References

https://github.com/kysely-org/kysely/security/advisories/GHSA-8cpq-38p9-67gx

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-33468 - High (8.1) Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the My... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33468/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33468
Severity: High
CVSS Score: 8.1
Type: sql_injection
Status: new
EPSS: 4.8%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.8%Probability of exploitation in the next 30 days