{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32763", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.533Z", "datePublished": "2026-03-19T23:14:58.747Z", "dateUpdated": "2026-03-19T23:14:58.747Z"}, "containers": {"cna": {"title": "SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66"}, {"name": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24", "tags": ["x_refsource_MISC"], "url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24"}, {"name": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12"}], "affected": [{"vendor": "kysely-org", "product": "kysely", "versions": [{"version": ">= 0.26.0, < 0.28.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:14:58.747Z"}, "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers \u2014 both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue."}], "source": {"advisory": "GHSA-wmrf-hv6w-mr66", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers \u2014 both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue."}], "id": "CVE-2026-32763", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:17.790", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24"}, {"source": "security-advisories@github.com", "url": "https://github.com/kysely-org/kysely/releases/tag/v0.28.12"}, {"source": "security-advisories@github.com", "url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-wmrf-hv6w-mr66"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.26.0,0.28.12)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "kysely", "source": "cna", "vendor": "kysely-org"}, "product": "kysely", "vendor": "kysely-org"}], "analysis": {"en": {"generated_at": "2026-03-20T00:50:11.664339+00:00", "value": {"mitigation_remediation": ["Upgrade Kysely to version 0.28.12 or later"], "summary": {"action": "Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Systems affected are applications that use the Kysely library (kysely\u2011org:kysely) with the MySQL or SQLite dialects, and which provide user input to the .key() or .at() methods. Any installation of Kysely with version 0.28.11 or earlier is vulnerable. The issue is mitigated in version\u202f0.28.12 and later.", "description_and_impact": "Kysely is a type\u2011safe TypeScript SQL query builder. In versions up to and including\u202f0.28.11 a SQL injection flaw exists in the handling of JSON path keys for the MySQL and SQLite dialects. The function visitJSONPathLeg() appends values supplied via .key() or .at() directly into single\u2011quoted JSON path string literals such as '$.key' without escaping single quotes. This allows an attacker to terminate the JSON path string and inject arbitrary SQL statements, potentially leading to data exfiltration, modification, or deletion.", "risk_and_exploitability": "The vulnerability has a CVSS score of\u202f8.2, indicating high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an attacker can supply malicious JSON path keys and that the application does not enforce strict error handling or use parameterized queries for this code path. The lack of public exploit evidence does not diminish the risk, given the simplicity of the injection path and the potential impact on data integrity and confidentiality."}}}}, "created": "2026-03-20T08:54:19.464725+00:00", "updated": "2026-03-20T10:43:46.618388+00:00", "vendors": ["kysely-org", "kysely-org$PRODUCT$kysely"]}